Delegated Auth with

Cantor, Scott cantor.2 at
Thu Nov 3 17:34:33 GMT 2011

On 11/3/11 1:19 PM, "Eric Dalquist" <eric.dalquist at> wrote:

>We turned on mod_log_forensic and see the following for the request in
>the forensic log:
>+22677:4eb2cc10:13|GET /secure/printenv

Those constants are URL encoded. That isn't allowed, if that's literally
what it's seeing.  I could add code to be permissive of course, but it
isn't there now, and the spec doesn't say anything about it being allowed.

You said the code you were using worked against the SP I suggested trying,
but it wouldn't work if the header looked like that.

>That seems to show the PAOS header coming through as expected. Is there
>any way to turn up logging for mod_shib and/or the SP so that it dumps
>out what it is seeing for headers?

It sees whatever Apache sees.

-- Scott

More information about the users mailing list