[Shib-Users] AJP Tomcat env vars

Visto 1.349 veces
Saltar al primer mensaje no leído

George Kroner

no leída,
11 nov 2010, 12:39:3511/11/10
a shibbole...@internet2.edu

Hi all,

 

I attended the InstallFest workshop yesterday – very fun and informative. Thank you for offering this, and very nice to meet everyone.

 

I have hopefully a quick, specific question for the community. Is it still the case that ShibUseHeaders On must appear in the shib.conf Apache configuration when using ProxyPass and AJP to front-end a Tomcat app with Shibboleth? The reason being that AJP won’t forward environment variables not prefixed with AJP_, and the ones passed via Shib are not?

 

Any known way around this limitation? I’d like to use environment variables if possible instead of headers as I know the debate continues over the security implications of the use of the latter.

 

Thank you for any insight,

-George


This email and any attachments may contain confidential and proprietary information of Blackboard that is for the sole use of the intended recipient. If you are not the intended recipient, disclosure, copying, re-distribution or other use of any of this information is strictly prohibited. Please immediately notify the sender and delete this transmission if you received this email in error.

Peter Schober

no leída,
11 nov 2010, 12:56:3411/11/10
a shibbole...@internet2.edu
* George Kroner <George...@blackboard.com> [2010-11-11 18:40]:

> I have hopefully a quick, specific question for the community. Is it
> still the case that ShibUseHeaders On must appear in the shib.conf
> Apache configuration when using ProxyPass and AJP to front-end a
> Tomcat app with Shibboleth?

It's not and the documentation also states that (though I already
thought about changing the docs to reflect that more clearly and
promptly forgot ;)

> The reason being that AJP won't forward environment variables not
> prefixed with AJP_, and the ones passed via Shib are not?

Add attributePrefix="AJP_" to <ApplicationDefaults> and they will be.
-peter

Peter Schober

no leída,
11 nov 2010, 13:26:3611/11/10
a shibbole...@internet2.edu
* George Kroner <George...@blackboard.com> [2010-11-11 18:40]:
> I have hopefully a quick, specific question for the community. Is it
> still the case that ShibUseHeaders On must appear in the shib.conf
> Apache configuration when using ProxyPass and AJP to front-end a
> Tomcat app with Shibboleth? The reason being that AJP won't forward
> environment variables not prefixed with AJP_, and the ones passed
> via Shib are not?

Is this better now?
https://spaces.internet2.edu/display/SHIB2/NativeSPJavaInstall
-peter

George Kroner

no leída,
11 nov 2010, 13:56:0211/11/10
a shibbole...@internet2.edu
Beautiful. I'd also add a handy tip for Java developers that when using request.getAttributeNames() to iterate over all the environment variables, the Shib ones are not included in the enumeration. One must explicitly call them - eg: request.getAttribute("eppn"). With your help, and overcoming this bit of strangeness, we're good to go.

Thank you!
-George

This email and any attachments may contain confidential and proprietary information of Blackboard that is for the sole use of the intended recipient. If you are not the intended recipient, disclosure, copying, re-distribution or other use of any of this information is strictly prohibited. Please immediately notify the sender and delete this transmission if you received this email in error.

Chad La Joie

no leída,
11 nov 2010, 14:00:4911/11/10
a shibbole...@internet2.edu
If that's really true than it's a bug in your Servlet container and you
should probably file a bug report with them.

On 11/11/10 1:56 PM, George Kroner wrote:
> Beautiful. I'd also add a handy tip for Java developers that when
> using request.getAttributeNames() to iterate over all the environment
> variables, the Shib ones are not included in the enumeration. One
> must explicitly call them - eg: request.getAttribute("eppn"). With
> your help, and overcoming this bit of strangeness, we're good to go.

--
Chad La Joie
http://itumi.biz
trusted identities, delivered

Peter Schober

no leída,
11 nov 2010, 14:07:1211/11/10
a shibbole...@internet2.edu
* George Kroner <George...@blackboard.com> [2010-11-11 19:56]:

> Beautiful. I'd also add a handy tip for Java developers that when
> using request.getAttributeNames() to iterate over all the
> environment variables, the Shib ones are not included in the
> enumeration. One must explicitly call them - eg:
> request.getAttribute("eppn"). With your help, and overcoming this
> bit of strangeness, we're good to go.

Exactly what I wrote back in June:
http://groups.google.com/group/shibboleth-users/msg/a4d5b03614a7fd76
http://groups.google.com/group/shibboleth-users/msg/e68bdc0bc1018bb2
cheers,
-peter

Etienne Dysli

no leída,
26 nov 2010, 11:48:1226/11/10
a shibbole...@internet2.edu
On 11/11/10 20:00, Chad La Joie wrote:
> If that's really true than it's a bug in your Servlet container and you
> should probably file a bug report with them.

This is a bug affecting Tomcat 6 up to 6.0.20:
https://issues.apache.org/bugzilla/show_bug.cgi?id=47364 which has been
fixed by... patching the javadoc!

From
http://tomcat.apache.org/tomcat-6.0-doc/api/org/apache/catalina/connector/Request.html#getAttributeNames%28%29
"Note that the attribute names return will only be those for the
attributes set via setAttribute(String, Object). Tomcat internal
attributes will not be included although they are accessible via
getAttribute(String)."

Regards,
Etienne

signature.asc
Responder a todos
Responder al autor
Reenviar
0 mensajes nuevos