Time Nick Message 16:04 pdurbin "The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications." https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project 16:13 pdurbin semiosis: more on the scrambled session bug: https://docs.google.com/document/d/1jrTwlMAaE-O_pOBhjfvCq86VatuFzFxFKOkSAKcDWwE/edit?usp=sharing 17:17 semiosis pdurbin: why do you need apache? is there really no java solution for shibboleth? 17:22 pdurbin semiosis: this is the pure Java Shibboleth/SAML solution I tried last year: https://svn.softwareborsen.dk/oiosaml.java/sp/trunk/docs/intro.html 17:27 semiosis this looks pretty good: http://projects.spring.io/spring-security-saml/ 17:27 semiosis i do love spring security 17:30 pdurbin semiosis: I just added that to the doc. Thanks. 17:30 semiosis yw 17:30 semiosis seriously, if you're going to have to do a lot of work, you shouldn't end up with a dependency on apache 17:31 semiosis imo only reason to depend on apache is if it makes things super easy, which it clearly is not 17:31 pdurbin well, Shibboleth people expect you to be running mod_shib 17:31 pdurbin they'll be less able to work with you if you have something else 17:31 pdurbin less able to troubleshoot problems, let's say 17:31 semiosis spring projects generally have great communities around them 17:32 semiosis and great docs, etc 17:32 semiosis very high quality software 17:32 pdurbin I've never used Spring but there seems to be a bit of a bias against it here. Not sure why. And I'm not sure how easy it is to grab just part of a Spring and add it into an otherwise only Java EE project. 17:33 semiosis that's one of the main design goals of spring, that you can pick & choose what you need 17:34 pdurbin but to use Spring Security SAML I assume we'd need to adopt all of Spring Security 17:35 semiosis unlikely 17:36 semiosis you could probably do a minimal integration with spring security for authentication only & still use your own authz 17:37 pdurbin well, the suggestion is on the list. thanks 17:37 semiosis yw 18:50 pdurbin Locust - A modern load testing framework - http://locust.io