Apache + SP HTTP reverse proxy to Weblogic

David Beaumont D.Beaumont at kent.ac.uk
Fri Nov 18 11:26:01 GMT 2011 

Hi Andy,

I can't claim to be doing things sanely, but for what it's worth:

I use attributePrefix="AJP_" in my shibboleth2.xml so that the attributes are sent to backend servers as environmental variables. I don't have ShibUseHeaders On. I have in the past, but was always a bit worried that I hadn't got the security at Apache right.

At the backend server I have Java code like:

Object persistentIdAttr = request.getAttribute("persistent-id");
String givenPersistentId = persistentIdAttr != null ? persistentIdAttr.toString() : null;
// Now go and authenticate the user against a database

Note that the attribute isn't prefixed by AJP_ as far as Java sees it. If anyone thinks I am doing something stupid, please chime in!

Dave

On 18 Nov 2011, at 11:11, Sykes, Andy wrote:

> Hi,
> 
> Just looking for a sanity check here, as it's not a situation I'm particularly familiar with.
> 
> I have Apache installed providing an HTTP reverse proxy (using mod_proxy_http) to a Weblogic appserver on the same machine. The SP is installed and configured.
> 
> I want to provide attributes to apps running in the Weblogic appserver.
> 
> Initially I thought to just set ShibUseHeaders On, but the documentation makes it pretty clear this is a bad move:
> 
> "Under no circumstances should you rely on the request header option other than as a temporary measure..."[1]
> 
> The only alternative I can think of is to use mod_headers' directive RequestHeader to set some headers (and by "set" I mean bulldoze any header with the same name) with the value of the header set to the value of the desired attribute; then these headers can be picked up inside Weblogic. This seems relatively secure to me. Is this sane?
> 
> What I can't understand is how this differs from using ShibUseHeaders. Surely mod_shib inserts the headers in pretty much the same way as mod_headers does? The only difference I can conceive of is that if the environment variable is unset, my RequestHeader directive will set that header to an empty string; so if a naughty user supplied their own headers, Apache will just bulldoze them to an empty string, whereas the SP may not. Am I interpreting this correctly?
> 
> Am I missing any more obvious ways of doing this?
> 
> Andy.
> 
> [1] 
> 
> --
> Andy Sykes
> Systems Administrator
> University College London
> 
> 
> 
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list