[Shib-Users] Getting attributes in Java Web Application

[Prashant Yadav]

I have following lines in my log:
2010-06-15 15:38:08 INFO Shibboleth-TRANSACTION [1]: Cached the following attributes with session (ID: _

e93034ad270acb02e5ca8fe26bb729e6) for (applicationId: default) {
2010-06-15 15:38:08 INFO Shibboleth-TRANSACTION [1]:    Address1 (1 values)
2010-06-15 15:38:08 INFO Shibboleth-TRANSACTION [1]:    City (1 values)
2010-06-15 15:38:08 INFO Shibboleth-TRANSACTION [1]:    EmailAddress (1 values)
2010-06-15 15:38:08 INFO Shibboleth-TRANSACTION [1]:    FirstName (1 values)
2010-06-15 15:38:08 INFO Shibboleth-TRANSACTION [1]:    LastName (1 values)
2010-06-15 15:38:08 INFO Shibboleth-TRANSACTION [1]:    PhoneNumber (1 values)
2010-06-15 15:38:08 INFO Shibboleth-TRANSACTION [1]:    PostalCode (1 values)
2010-06-15 15:38:08 INFO Shibboleth-TRANSACTION [1]:    StateProvince (1 values)
2010-06-15 15:38:08 INFO Shibboleth-TRANSACTION [1]: }
2010-06-15 15:38:08 DEBUG Shibboleth.SSO.SAML2 [1]: ACS returning via redirect to: http://10.0.0.53:8080/Shibboleth/ShibbolethDrxUserServlet


When I am trying to get these values in my Java code using request.getAttribute("Address1"). It is coming up as null.
Is there any way, I can log what values are being added by Shibboleth. Instead of saying (1 value)

[Peter Schober]

* Prashant Yadav <prya...@gmail.com> [2010-06-15 22:35]:

> When I am trying to get these values in my Java code using
> request.getAttribute("Address1"). It is coming up as null.
> Is there any way, I can log what values are being added by Shibboleth.
> Instead of saying (1 value)

You'll see them in the decoded and decrypted assertion in shibd.log,
on DEBUG log level. But it's probably easier to just set
ApplicationDefaults/Sessions/Handler/@showAttributeValues="true"
in shibboleth2.xml and check the values on the web, via
https://your.example.org/Shibboleth.sso/Session

As for Java accessing attribtues have a look at
https://spaces.internet2.edu/display/SHIB2/NativeSPJavaInstall
E.g. with mod_proxy_ajp you'll need to prefix all envvars or
alternatively switch to using HTTP request headers.
-peter

[Peter Schober]

* Prashant Yadav <prya...@gmail.com> [2010-06-16 19:22]:
> When I look for attributes at http://<my-machine>/Shibboleth.sso/
> Session, I do see all the attributes and values.
>
> I did added the ProxyPass in my httpd.conf file. Still I am unable to
> collect these attributes in my Java app.
> I tried:
> session.getAttribute
> request.getAttribute
> request.getParameter
>
> all three came as null.
> How do we send these attribute from Shibboleth to an application ? In
> Session or Request or Header ? or somewhere else ?

Start by reading the docs I have referred you to yesterday:

* Peter Schober <peter....@univie.ac.at> [2010-06-15 22:54]:

> As for Java accessing attribtues have a look at
> https://spaces.internet2.edu/display/SHIB2/NativeSPJavaInstall
> E.g. with mod_proxy_ajp you'll need to prefix all envvars or
> alternatively switch to using HTTP request headers.

So...

* Did you configure the SP to send HTTP request headers? If yes, you
should be able to access those like you access any other HTTP
request headers from a Java servlet.
(I guess that's request.getHeader("HTTP_SOME_ATTRIBUTE") but I know
nothing about Java, so try
http://www.google.com/search?q=java+access+http+request+headers
Also note the naming contstraints of HTTP request headers, all of
which is mentioned in the page above.

* If you did *not* set the SP to use HTTP headers it's still using
environment variables, which, as is also clearly stated (in a bold
font) on the page I referred you to, are not transferred via AJP,
unless you prefix them with 'AJP_'.

I'm only repeating what is on that page. So based on what you said
you're neither prefixing nor using headers (and also you're not
looking at headers), so this cannot work.
-peter

-peter

[Prashant Yadav]

I did prefixed all the attributes in attribute-map.xml with AJP_

but no help.

Do I need any configuration like "ShibUseEnvironment" in my httpd.conf ?

I do not have any such config. neither ShibUseHeaders

Keep Smiling :)

Prashant Yadav

732.406.8023

[Scott Cantor]

> I did prefixed all the attributes in attribute-map.xml with AJP_
> but no help.

It might be "AJP-".

> Do I need any configuration like "ShibUseEnvironment" in my httpd.conf ?

That's the default.

-- Scott

[Prashant Yadav]

Team,

I tried almost everything.
Here is my config from httpd.conf:

<VirtualHost *:80>
    ServerAdmin pras...@youngsoft.com
    DocumentRoot "/usr/share/doc/shibboleth-2.3.1/"
    ProxyPass /Shibboleth ajp://sso.h2hdigitalrx.com:8009/Shibboleth
#    ServerName 10.0.0.228
#    ErrorLog logs/dummy-host.example.com-error_log
#    CustomLog logs/dummy-host.example.com-access_log common
  <Location /Shibboleth>
    AuthType shibboleth
    ShibRequireSession Off
    ShibUseHeaders On
    require shibboleth
  </Location>
</VirtualHost>

I can see all the attributes at http://<my-machine>/Shibboleth.sso/Session
but unable to get anything in request.getHeaderNames

Am I still missing anything ?

[Peter Schober]

* Prashant Yadav <prya...@gmail.com> [2010-06-16 21:37]:

> <Location /Shibboleth>
> AuthType shibboleth
> ShibRequireSession Off
> ShibUseHeaders On
> require shibboleth
> </Location>
> </VirtualHost>
>
> I can see all the attributes at http://<my-machine>/Shibboleth.sso/Session
> but unable to get anything in request.getHeaderNames

What do you mean with "unable to get anything in request.getHeaderNames"?

If you get nothing at all, then that has nothing to do with Shibboleth
(as your HTTP user agent will certainly send a few things,
e.g. accept-{encoding,charset,language,}, a HTTP/1.1 Host header, etc.

If you do get those but are missing any Shibboleth related attributes:
Do you actually have a session there? With our config above you are
explicitly not requesting a session, so unless something or someone
expicitly triggers the establishment of a session (i.e., other than
accessing the resource) there won't be any attributes.
(Which again you might have done, but since you don't say so we only
assume you haven't.)
-peter

[Peter Schober]

> If you do get those but are missing any Shibboleth related attributes:
> Do you actually have a session there? With our config above you are
> explicitly not requesting a session

But you did say the attributes are there in the session handler,
sorry. Since 'ShibUseHeaders On' certainly works for many people maybe
maybe try moving the resource to some other place than /Shibboleth ?
That's a weird name for a resource of your own, esp if mod_shib lives
at /Shibboleth.sso
But that shouldn't be a problem if /Shibboleth.sso/Session works for you.

This simple JSP code does show all headers incl shib attributes, btw:

<%@ page import="java.util.*" %>
<table>
<%
Enumeration enumeration = request.getHeaderNames();
while (enumeration.hasMoreElements()) {
String name = (String) enumeration.nextElement();
String value = request.getHeader(name);
%>
<tr><td><%= name %></td><td><%= value %></td></tr>
<%
}
%>
</table>

with this shib config (and a proxy pass):

<Location /foo.jsp>
AuthType Shibboleth
require valid-user
ShibRequireSession on
ShibUseHeaders On
</Location>

-peter

[Peter Schober]

* Peter Schober <peter....@univie.ac.at> [2010-06-16 22:06]:

> But you did say the attributes are there in the session handler,
> sorry. Since 'ShibUseHeaders On' certainly works for many people

I also just tried this without 'ShibUseHeaders On' and this works
fine. Doing this via ApplicationDefaults/@attributePrefix in
shibboleth2.xml (as Scott suggested) set to "AJP_" makes this rather
painless and also gives you access to the "internal" attributes such
as Shib-Identity-Provider (which will always be there with a session
and hence make good candidates to check for during debugging).
Fyi, setting attributePrefix="AJP-" did not work, at least on a test
system with Tomcat 6.0.18 and httpd/mod_proxy_ajp 2.2.3.

However, looping over request.getAttributeNames() with
map = new TreeMap();
enames = request.getAttributeNames();
while (enames.hasMoreElements()) {
String name = (String) enames.nextElement();
String value = "" + request.getAttribute(name);
map.put(name, value);
}
did only return these attributes (and their values):
javax.servlet.request.cipher_suite
javax.servlet.request.key_size
javax.servlet.request.ssl_session
but none of the Shib ones. Only when I asked for specific attributes
by name this also worked fine:

request.getAttribute("Shib-Identity-Provider")
request.getAttribute("mail")
and
request.getRemoteUser()
where all set correctly.

I'll chalk up the non-display of those attributes during the
iteration to my non-existing knowledge of the language and APIs
involved here. (I just copied together a bunch of lines form the
'net.)
-peter

[Chad La Joie]

Peter, are you sure you didn't use request attributes at one point and
request headers at another? I thought the Shibboleth information would
come through as headers but it's been forever since I configured the
various AJP items, so maybe not.

--
Chad La Joie
http://itumi.biz
trusted identities, delivered

[Prashant Yadav]

I see attribute values at http://<my-machine>/Shibboleth.sso/Session
When I do ShibUseHeaders On:
I also see attribute names in getHeaderNames.
But when I try to get these attributes in my Java app. It comes out as
empty " ".
Any Clue ?

Keep Smiling :)
Prashant Yadav
732.406.8023

[Chad La Joie]

You say you see the header names listed, what method call are you trying
to use to get the values?

--

[Peter Schober]

* Chad La Joie <laj...@itumi.biz> [2010-06-17 00:53]:

> Peter, are you sure you didn't use request attributes at one point and
> request headers at another? I thought the Shibboleth information would
> come through as headers but it's been forever since I configured the
> various AJP items, so maybe not.

I'm sure, since I always checked for both in seperate output tables
(see below). Looking at the ServletAPI this should be OK (except maybe
for the request.getAttribute() call which I see should return an
object, as compared to request.getHeader() which returns a string. But
asking for specific getAttribute()s works so type conversion/coertion
is probably accounted for in the code, dunno.). Also the
javax.servlet.request.ssl_session etc. attributes are returned OK in
that loop (inherited somehow from httpd, since only httpd does SSL in
this setup), as I wrote before.

<%@ page import="java.util.*" %>

<%
Enumeration enames;
Map map;

// HttpServletRequest headers
map = new TreeMap();
Enumeration enames = request.getHeaderNames();

while (enames.hasMoreElements()) {
String name = (String) enames.nextElement();

String value = request.getHeader(name);
map.put(name, value);
}
out.println(createTable(map, "Request Headers"));

// ServletRequest attributes

map = new TreeMap();
enames = request.getAttributeNames();
while (enames.hasMoreElements()) {
String name = (String) enames.nextElement();
String value = "" + request.getAttribute(name);
map.put(name, value);
}

out.println(createTable(map, "Request Attributes"));

// REMOTE_USER and specific attributes
map = new TreeMap();
map.put("request.getRemoteUser()", request.getRemoteUser());
map.put("request.getAttribute(\"Shib-Identity-Provider\")", request.getAttribute("Shib-Identity-Provider"));
out.println(createTable(map, "Asking for it explicitly"));

%>
<%! private static String createTable(Map map, String title) {
[...]

But I really should leave that to Java programmers, I just wanted to
make sure I could get it to work based on the docs.
-peter