Apache + SP HTTP reverse proxy to Weblogic

[Sykes, Andy]

Apologies, the [1] reference got snipped. It's actually:

https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSpoofChecking


-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Sykes, Andy
Sent: 18 November 2011 11:12
To: users at shibboleth.net
Subject: Apache + SP HTTP reverse proxy to Weblogic

Hi,

Just looking for a sanity check here, as it's not a situation I'm particularly familiar with.

I have Apache installed providing an HTTP reverse proxy (using mod_proxy_http) to a Weblogic appserver on the same machine. The SP is installed and configured.

I want to provide attributes to apps running in the Weblogic appserver.

Initially I thought to just set ShibUseHeaders On, but the documentation makes it pretty clear this is a bad move:

"Under no circumstances should you rely on the request header option other than as a temporary measure..."[1]

The only alternative I can think of is to use mod_headers' directive RequestHeader to set some headers (and by "set" I mean bulldoze any header with the same name) with the value of the header set to the value of the desired attribute; then these headers can be picked up inside Weblogic. This seems relatively secure to me. Is this sane?

What I can't understand is how this differs from using ShibUseHeaders. Surely mod_shib inserts the headers in pretty much the same way as mod_headers does? The only difference I can conceive of is that if the environment variable is unset, my RequestHeader directive will set that header to an empty string; so if a naughty user supplied their own headers, Apache will just bulldoze them to an empty string, whereas the SP may not. Am I interpreting this correctly?

Am I missing any more obvious ways of doing this?

Andy.

[1] 

--
Andy Sykes
Systems Administrator
University College London



--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net