SSP v2.4.2 General Release Announcement
SSP v2.4.2 released August 20, 2014
Release Highlights
- 2.4.2 is a patch release to address bugs identified in the 2.4.0 and 2.4.1 releases.
- Fix for potential loss of courses on a MAP Plan when editing a Plan (this patch alone is very strong justification to upgrade to 2.4.2)
- Minor fixes for the Action Plan tool
- Corrected inaccurate Student Searches involved DOB
- Eliminated duplicate search server round trips
- Fix for security vulnerabilities in SSP-Platform deployments using CAS (no such deployments known at this writing)
Fresh Installation Instructions
See SSP v2.4.2 Installation Instructions
Upgrade Instructions
Upgrading Source Code Forks
See SSP Source Code Upgrade Process
Additional Upgrade Steps
- Complete previous upgrade steps
For all existing installations the published Release notes should be reviewed.
- To upgrade from 2.0.X follow the upgrade instructions for 2.1, 2.2, 2.3, 2.4.0 and 2.4.1 Release Notes before deploying the 2.4.2
- To upgrade from 2.1.X follow the upgrade instructions for the 2.2, 2.3, 2.4.0 and 2.4.1 Release Notes before deploying the 2.4.2
- To upgrade from 2.2.X follow the upgrade instructions for the 2.3, 2.4.0 and 2.4.1 Release Notes before deploying the 2.4.2 code
It is critical to complete the steps described in the 2.4.0 release notes for any deployment not upgrading directly from 2.4.1 to 2.4.2
The SSP development team is not aware of any SSP deployments integrated with CAS, but this release includes two security-related patch sets specifically targeted at CAS integrations:
- SSP-2721 - Scrubs certain CAS-specific request parameters. Details of the changes and effects are detailed in the uPortal project. No work should be required to enable the patch, but you may want to review that document to better understand the CAS-related configuration changes included in this release.
- SSP-2724 - Works around what amounts to a CAS-specific session hijacking vulnerability. The uPortal project has not yet published the details of this patch, but the
<platform-src>/uportal-war/src/main/resources/properties/security.properties
file includes greatly expanded comments describing recommended configuration changes. You will likely want to review the changes to that file whether or not you use CAS. The new defaults may interfere with your existing authentication provider integrations, especially AD/LDAP. Details below.
Review security.properties
Changes
This release includes a large patch to <platform-src>/uportal-war/src/main/resources/properties/security.properties
for SSP-2724. These changes may result in merge conflicts, especially if you are already integrated with other authentication providers, e.g. AD/LDAP. For resolving merge conflicts in general, see SSP Source Code Upgrade Process. For this particular patch, understand that the primary goal was to change this:
principalToken.root=userName credentialToken.root=password
To this:
principalToken.root= credentialToken.root=
Once you're able to sort out the conflict so everything is as it was before, but with expanded comments and the unset of the "root" token config as shown above, you'll need to make sure your existing authentication provider configuration still works. In almost all SSP deployments this entails creating a token config pair for each configured LDAP security context. I.e. for every row in security.properties
of the form:
root.<suffix>=org.jasig.portal.security.provider.SimpleLdapSecurityContextFactory
You will need a corresponding:
principalToken.root.<suffix>=userName credentialToken.root.<suffix>=password
For example, if your configuration currently includes:
root.ldap_student=org.jasig.portal.security.provider.SimpleLdapSecurityContextFactory root.ldap=org.jasig.portal.security.provider.SimpleLdapSecurityContextFactory
Then you need to add the following:
principalToken.root.ldap=userName credentialToken.root.ldap=password principalToken.root.ldap_student=userName credentialToken.root.ldap_student=password
Review Maven settings.xml
Historically you might have configured a Maven repository "blacklist" in <USER_HOME>/.m2/settings.xml
to work around broken dependency downloads (ehcache especially). SSP-2634 should obviate such blacklisting, so if you haven't added it already, there should be no reason to do so. If you've already created a blacklist, it is entirely up to you whether or not to leave it in place.
v2.4.2 JIRA Issues
Bugs
- [SSP-2643] - Courses on MAP lost during edit
- [SSP-2654] - DOB search results incorrect before 01/01/1970
- [SSP-2660] - Print action plan button does not respond
- [SSP-2697] - Inactive CL appear in Action Plan custom task
- [SSP-2706] - Search API invoked twice when submitting search form
- [SSP-2721] - Integrate patched CAS filter
- [SSP-2723] - Student search column result sorting not working
- [SSP-2724] - Improved default security.properties configuration
Improvements and New Features
- [SSP-2634] - Integrate uPortal Maven dependency download fix