Child pages
  • Grouper Call 17-Dec-2013
Skip to end of metadata
Go to start of metadata

Minutes: Grouper call of  Dec 17, 2013

Attending
Tom Barton, U. Chicago
Chris Hyzer, U. Penn
Dave Langenberg, U. Chicago
Shilen Patel, Duke
Steve Olshansky, Internet2
Emily Eisbruch, Internet2, scribe

New Action items

[AI] (Emily and SteveO) will work make sure the website is more clear on
how to get the Grouper download. (DONE)

[AI] Chris will look at POST and GET parameter issues, identified as a flawed design pattern from the PEN testing

[AI] (Chris) reply to MichaelG re the rules UI issue, asking Michael to put this in the community requests table (Done)https://lists.internet2.edu/sympa/arc/grouper-users/2013-12/msg00031.html

[AI] (Dave) reply to Tim Darby re Active Directory provisioning questionhttps://lists.internet2.edu/sympa/arc/grouper-users/2013-12/msg00008.html

[AI] (Emily) work on moving Grouper Downloads page to the wiki (leaving a
pointer on the Grouper website)

Carry Over Action items

[AI] (Shilen) email the Grouper users list about import and export
approaches

[AI] (Shilen) email Jim and Chris about what calls are needed for CIFER
API for Duke's project

[AI] (DaveL) work on the PSP aspect of GRP 914.

[AI] (Andrew) let us know what emerges from the Apereo security notification process work.

DISCUSSION

Grouper Download issues

A concern was raised on the Grouper-Users list about downloading Grouper.https://lists.internet2.edu/sympa/arc/grouper-users/2013-12/msg00033.html

[AI] (Emily) clarify the wording about where to get the Grouper download on the website. (DONE)

In addition, it was decided that the Grouper downloads information should be moved to the Grouper wiki, for easy editing by the developers.
The website will still contain pointers.  The actual software files will not be moved to the wiki, they will stay at software.internet2.edu

[AI] (Emily) work on moving Grouper Downloads page to the wiki (leaving a pointer on the Grouper website)

Pen Testing and Web Inspect Results (Chris)

Chris reviewed the HP web inspect report. Interesting issues:

Cross-Frame Scripting

Grouper is not using the  X-Frame-Options header.
Background on Cross Frame Scripting:

Developers can use this header to instruct the browser about appropriateactions to perform if their site is included inside an
iframe.

Dave warned we should be careful before turing this on. Dave tried this on the Shib IDP.
The CMS team put library resources within an iframe on the CMS and when Shib did the frame buster using this method, it led to a crash.

Decision was not to use the X-Frame-Options in Grouper.

POST and GET parameters

Chris plans to look at POST and GET params with regard to Cross-Site Request Forgery (CSRF).
Background: Some web frameworks collapse the POST and GET parameters into a single collection. This is a flawed design pattern from a security standpoint. If a page accepts POST parameters as GET parameters an attacker would be able to effect change on websites through Cross-Site Request Forgery or leverage this design flaw with other vulnerabilities to attack the system hosting the web application.

[AI] Chris will look at POST and GET parameter issues, identified as a flawed design pattern from the PEN testing

Following Up on Issues on the Grouper-Users List

Rules UI

An email from CMU asked about a Rules UI.  It makes sense to add the creation of the Rules UI to the Grouper UI Redesign Page in the Community Requests table.https://spaces.internet2.edu/display/Grouper/Grouper+UI+redesign+v2.2

[AI] (Chris) reply to MichaelG re the rules UI issue, asking Michael to put this in the community requests table (Done)https://lists.internet2.edu/sympa/arc/grouper-users/2013-12/msg00031.html

AD Provisioning Question

Dave will follow up with U. Arizona on the AD Provisioning question.

[AI] (Dave) reply to Tim Darby re the Active Directory provisioning questionhttps://lists.internet2.edu/sympa/arc/grouper-users/2013-12/msg00008.html

https://lists.internet2.edu/sympa/arc/grouper-users/2013-12/msg00008.html

Grouper  v2.2  

UI  Work

Chris reports that work on new Grouper UI is coming along well.
Chris is waiting for Shilen to have the upgrade path for attributes before doing more builds.

Legacy Attribute Migration

Shilen reports that progress is being made on the legacy attribute migration.

Grouper SCIM Integration

https://spaces.internet2.edu/display/Grouper/Grouper+SCIM+integration
Dave reports that work is in progress on the Grouper SCIM integration.  

  • No labels