Apache + SP HTTP reverse proxy to Weblogic

Peter Schober peter.schober at univie.ac.at
Fri Nov 18 11:43:35 GMT 2011

* David Beaumont <D.Beaumont at kent.ac.uk> [2011-11-18 12:26]:
> I can't claim to be doing things sanely, but for what it's worth:
> I use attributePrefix="AJP_" in my shibboleth2.xml so that the
> attributes are sent to backend servers as environmental variables. I
> don't have ShibUseHeaders On. I have in the past, but was always a
> bit worried that I hadn't got the security at Apache right.

That's also what the official documentation says:

> At the backend server I have Java code like:
> Object persistentIdAttr = request.getAttribute("persistent-id");

Note that unless you expicitly want to bake in the use of
persistent-id as the attribute uniquely identifying the principal you
could use Java's getRemoteUser() methods (as documented at
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAttributeAccess )
and rely on httpd's REMOTE_USER.
The SP in its default configuration will map persistent-id to
REMOTE_USER and you gain additional flexibilty by (1) having a
precendence list of attributes to step though and set REMOTE_USER to
the first one not empty), and (2) doing the mapping of attributes to
REMOTE_USER outside your code.

More information about the users mailing list