Apache + SP HTTP reverse proxy to Weblogic

David Beaumont D.Beaumont at kent.ac.uk
Fri Nov 18 12:01:24 GMT 2011

On 18 Nov 2011, at 11:43, Peter Schober wrote:

> * David Beaumont <D.Beaumont at kent.ac.uk> [2011-11-18 12:26]
>> At the backend server I have Java code like:
>> Object persistentIdAttr = request.getAttribute("persistent-id");
> Note that unless you expicitly want to bake in the use of
> persistent-id as the attribute uniquely identifying the principal you
> could use Java's getRemoteUser() methods (as documented at
> https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAttributeAccess )
> and rely on httpd's REMOTE_USER.
> The SP in its default configuration will map persistent-id to
> REMOTE_USER and you gain additional flexibilty by (1) having a
> precendence list of attributes to step though and set REMOTE_USER to
> the first one not empty), and (2) doing the mapping of attributes to
> REMOTE_USER outside your code.

Thanks for the reassurance Peter.

In our case, being explicit is intentional as some IdPs give us eppn for use in a different application, which has a higher precedence, but I wanted to be consistent with the attribute being stored for this application.

Perhaps it would be wise to investigate application overrides rather than doing this in my code, but that is a job for the future!


More information about the users mailing list