SSP v2.5.2 General Release Announcement
SSP v2.5.2 released August 21, 20142.5.2 release August 21, 2014
The release is primarily a patch set for bugs identified in v2.5.1. Implementers are strongly encouraged to update to v2.5.2 to correct core functionality in Caseload and Search
Release Highlights
- Fix for potential loss of courses on a MAP Plan when editing a Plan (this patch alone is very strong justification to upgrade to 2.5.2)
- Critical fixes for the Caseload and Search results
- Minor fixes for the Action Plan tool for inactive Confidentiality Level showing and Action Plan report failure
- Corrected inaccurate Student Searches involving DOB
- LTI integration functionality was added to the methods for integrating LMS implementations
- Workaround for corrupted Maven dependency downloads
- Fix for security vulnerabilities in SSP-Platform deployments using CAS (no such deployments known at this writing)
- New permissions to hide the Main Tool for certain users/groups
There are no external database schema changes in this release
Fresh Installation Instructions
See SSP v2.5.2 Installation Instructions
Upgrade Instructions
Upgrading Source Code Forks
See SSP Source Code Upgrade Process
Additional Upgrade Steps
It is important to first follow the steps in the Release Notes for v2.5.1 when upgrading to v2.5.2.
The SSP development team is not aware of any SSP deployments integrated with CAS, but this release includes two security-related patch sets specifically targeted at CAS integrations:
- SSP-2721 - Scrubs certain CAS-specific request parameters. The changes and effects are detailed in the uPortal project. No work should be required to enable the patch, but you may want to review that document to better understand the CAS-related configuration changes included in this release.
- SSP-2724 - Works around what amounts to a CAS-specific session hijacking vulnerability. The changes and effects are detailed in the uPortal project and the
<platform-src>/uportal-war/src/main/resources/properties/security.properties
file includes greatly expanded comments describing recommended configuration changes. You will likely want to review the email thread and changes to that file whether or not you use CAS. The new defaults may interfere with your existing authentication provider integrations, especially AD/LDAP. SSP-specific details below.
1 - New permissions and functionality were created to remove the Main Tool from individual users or groups/role.
The intent of this feature is to remove the display of protected information from users who should not have access. For example, the application can be configured such that faculty members who do not need to view academic history for any student will not have the Main Tool available in the UI. Instructions to manage the permissions are described in the User Guide. Before you'll be able to manage those permissions, though, you need to run the following command from within your SSP-Platform source code checkout (only necessary for an upgrade; fresh installs will execute this file automatically):
SSP_CONFIGDIR=/path/to/your/config/dir ant -Dmaven.test.skip=true -Ddir=uportal-war/src/main/data/ssp_entities/patches-SSP-2-5-2/SSP-2631 data-import
2 - Review CAS filter patch
SSP-2721 is a patch for implementers who integrate SSP with CAS for end user authentication. Details of the changes and effects are detailed in the uPortal project. No work should be required to enable the patch, but you may want to review that document to better understand the CAS-related configuration changes included in this release. This patch was also included in SSP 2.4.2, so if you are upgrading from that version, you may already be familiar with this issue and it is particularly unlikely any additional work will be necessary.
3 - Review security.properties
changes
SSP-2724 is also a patch for implementers who integrate SSP with CAS for end user authentication. The changes and effects are detailed in the uPortal project. This patch was also included in SSP 2.4.2, so if you are upgrading from or through that version, you may already be familiar with this issue and it is unlikely any additional work specific to 2.5.2 will be necessary.
If you have not already upgraded to/through 2.4.2, your installation will most likely be affected by significant changes to <platform-src>/uportal-war/src/main/resources/properties/security.properties
- Works around what amounts to a CAS-specific session hijacking vulnerability. The changes and effects are detailed in the SSP Source Code Upgrade Process. For this particular patch, understand that the primary goal in the uPortal project's patch was to change this:
principalToken.root=userName credentialToken.root=password
To this:
principalToken.root= credentialToken.root=
Once you're able to sort out the conflict so everything is as it was before, but with expanded comments and the unset of the "root" token config as shown above, you'll need to make sure your existing authentication provider configuration still works. In almost all SSP deployments this entails creating a token config pair for each configured LDAP security context. I.e. for every row in security.properties
of the form:
root.<suffix>=org.jasig.portal.security.provider.SimpleLdapSecurityContextFactory
You will need a corresponding:
principalToken.root.<suffix>=userName credentialToken.root.<suffix>=password
For example, if your configuration currently includes:
root.ldap_student=org.jasig.portal.security.provider.SimpleLdapSecurityContextFactory root.ldap=org.jasig.portal.security.provider.SimpleLdapSecurityContextFactory
Then you need to add the following:
principalToken.root.ldap=userName credentialToken.root.ldap=password principalToken.root.ldap_student=userName credentialToken.root.ldap_student=password
4 - Review Maven settings.xml
Historically you might have configured a Maven repository "blacklist" in <USER_HOME>/.m2/settings.xml
to work around broken dependency downloads (ehcache especially). SSP-2634 should obviate such blacklisting, so if you haven't added it already, there should be no reason to do so. If you've already created a blacklist, it is entirely up to you whether or not to leave it in place.
5 - Inbound SSO
If you are using SSP's now-legacy "Signed-URL" mechanism for inbound SSO, you will find that feature disabled unless you make two configuration changes.
In $SSP_CONFIGDIR/ssp-config.properties
set ssp_platform_sso_ticket_service_shared_secret
to a non-empty value. It does not need to be particularly complex. Something resembling an ATM PIN is fine.
Set that same value in $SSP_CONFIGDIR/ssp-platform-config.properties
as environment.build.sso.local.sharedSecret
This configuration will also enable the SSP LTI Provider implementation, which as of 2.5.2 is now the preferred mechanism for point-to-point inbound SSO. Complete LTI configuration instructions are included in that feature's documentation.
If you are upgrading an environment, you should delete or change the passwords for the uPortal users created for demonstration purposes. This can be done through the user interface: Manage Users
-> Find an Existing User
-> [Enter user ID from list below] -> [Click result] -> Delete
or Edit
, then change password. Demo users:
- advisor0
- ken
- student0
- student1
This is only necessary for upgrades. A fresh 2.5.2 install will not create these users.
A fresh install should also either change the admin
user's password or add some other user to the Portal Administrators group and delete the admin
user.
v2.5.2 JIRA Issues
Bugs
- [SSP-2623] - Navigating to Early Alert tool decrements EA count in caseload/search results
- [SSP-2636] - STRENGTHS Permissions not implemented in UI
- [SSP-2648] - Caseload/Watch/Search navigation broken for users having access to search only
- [SSP-2650] - LTI Provider - Default timestamp expiry is too short
- [SSP-2651] - LTI Provider - Live launch error messages rendered in browser as raw HTML
- [SSP-2654] - DOB search results incorrect before 01/01/1970
- [SSP-2656] - Missing 'enter' keypress handlers on most search filter fields
- [SSP-2657] - DOB field validation doesn't prevent search execution
- [SSP-2660] - Print action plan button does not respond
- [SSP-2663] - Tools except Main Tool Do Not have currentPerson Loaded
- [SSP-2667] - person_filtered perms should not have access to Coaching History report
- [SSP-2668] - 404 error when school id not found in add student
- [SSP-2669] - Email coach link inactive for person_filtered perms
- [SSP-2670] - Exception Thrown On Instant Caseload Save
- [SSP-2671] - Instant Caseload Does not Initialize Tool
- [SSP-2672] - SearchPerson.js Model Potential Improper Update of Name
- [SSP-2673] - Tool Not removed if External Student Selected but not Assigned
- [SSP-2676] - Console error after adding a student via quick add
- [SSP-2677] - Email Student failure for person_filtered
- [SSP-2678] - Selected student header bar not populated after canceling Caseload Add/Edit form
- [SSP-2680] - LtiSspUserFieldNames.js loaded out of band
- [SSP-2686] - MAP plan edit locked
- [SSP-2687] - Caseload column-data alignment problem
- [SSP-2688] - Program Status Name not updated after Quick Add
- [SSP-2693] - Journal Steps are missing from the Student view
- [SSP-2694] - external person sync not completing
- [SSP-2695] - Liquibase for add refresh_mv_directory_person/blue on SQL Server
- [SSP-2697] - Inactive CL appear in Action Plan custom task
- [SSP-2698] - SSP portlets disabled if http://www.tuckey.org unavailable
- [SSP-2702] - Program status name not reflected in Main after student Quick Add
- [SSP-2703] - Search Results returns records with inactive associations
- [SSP-2704] - Hard-coded dbo schema references
- [SSP-2710] - Program status transitions error out with invalid subquery result
- [SSP-2712] - Bulk coach reassign errors out if more than one student selected
- [SSP-2713] - Add student not in external data via UI doesn't add to directory
- [SSP-2714] - Directory update triggers break on bulk writes to some tables
- [SSP-2716] - Coaching History doesn't work unless in Main
- [SSP-2718] - Directory search queries scroll entire result set to get result set size
- [SSP-2721] - Integrate patched CAS filter
- [SSP-2724] - Improved default security.properties configuration
- [SSP-2726] - Unit tests do not compile
Improvements and New Features
- [SSP-2428] - Liquibase error dropping default constraints on SQLServer 2012
- [SSP-2461] - LTI Provider - Expose Platform SSO Ticket Issuing Service in platform-java-api
- [SSP-2470] - LTI Provider - Expose Platform Permissions Lookup Service to non-portlet requests
- [SSP-2473] - LTI Provider - Allow Platform user lookup by schoolId
- [SSP-2474] - LTI Provider - Better end-user facing Early Alert portlet errors
- [SSP-2475] - LTI Provider - EA portlet roster selection via render param
- [SSP-2631] - Permissions-driven Main tool show/hide
- [SSP-2634] - Integrate uPortal Maven dependency download fix
- [SSP-2644] - Document LTI Provider
- [SSP-2647] - Document new permissions for hiding main tool
- [SSP-2649] - Display Early Alerts created by current user when submitting new Early Alert
- [SSP-2661] - Caseload "Quick Add" dialog should be modal
- [SSP-2679] - Mark nav and tool panels 'loading' while selected person record loads
- [SSP-2701] - Document SQLServer stored proc permissions config recommendations
- [SSP-2725] - Filter external-only students from bulk caseload reassign UI