Apache + SP HTTP reverse proxy to Weblogic
a.sykes at ucl.ac.uk
Fri Nov 18 11:18:38 GMT 2011
Apologies, the  reference got snipped. It's actually:
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Sykes, Andy
Sent: 18 November 2011 11:12
To: users at shibboleth.net
Subject: Apache + SP HTTP reverse proxy to Weblogic
Just looking for a sanity check here, as it's not a situation I'm particularly familiar with.
I have Apache installed providing an HTTP reverse proxy (using mod_proxy_http) to a Weblogic appserver on the same machine. The SP is installed and configured.
I want to provide attributes to apps running in the Weblogic appserver.
Initially I thought to just set ShibUseHeaders On, but the documentation makes it pretty clear this is a bad move:
"Under no circumstances should you rely on the request header option other than as a temporary measure..."
The only alternative I can think of is to use mod_headers' directive RequestHeader to set some headers (and by "set" I mean bulldoze any header with the same name) with the value of the header set to the value of the desired attribute; then these headers can be picked up inside Weblogic. This seems relatively secure to me. Is this sane?
What I can't understand is how this differs from using ShibUseHeaders. Surely mod_shib inserts the headers in pretty much the same way as mod_headers does? The only difference I can conceive of is that if the environment variable is unset, my RequestHeader directive will set that header to an empty string; so if a naughty user supplied their own headers, Apache will just bulldoze them to an empty string, whereas the SP may not. Am I interpreting this correctly?
Am I missing any more obvious ways of doing this?
University College London
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users