PeopleSoft/WebLogic proxy with Shibboleth Native SP and Apache

Schwoerer, Bradley J schwoerb at uww.edu
Wed Jan 23 14:42:28 EST 2013


Re-reading the original question and the follow-up, I have a few comments.

If you do not proxy the entire PeopleSoft application through Apache and
only the authentication piece, you would need a much more complicated
setup.  You would need the Peoplecode to detect lack of a session and
detect a secure token (custom cookie or POST/GET parameter) that can
identify the authenticated person.  If the person has not authenticated,
you will need to redirect them to a different port/server that does have
apache/shib protecting an app that can create the secure token and send
them back to the weblogic server.  Here the Peoplecode would need to
handle this token to create the session.  You would have all of the issues
of how to securely pass between the two servers/applications a token that
can identify the person authenticated.

I would not consider this advisable, but it is technically possible to not
have Apache proxying all of your weblogic traffic.


-Bradley



On 1/23/13 1:12 PM, "Cantor, Scott" <cantor.2 at osu.edu> wrote:

>On 1/23/13 2:09 PM, "Marc Boorshtein" <mboorshtein at gmail.com> wrote:
>
>>While I'm not working at a university that has implemented these
>>technologies I have implemented reverse proxies for authentication and
>>weblogic on several occasions and I would NOT only protect the login
>>page but the entire application.  The reason is that if you only
>>protect the login page and not weblogic someone could spoof their
>>login by injecting a header.  Better to use the reverse proxy to cover
>>everything to guard against that.
>
>That won't protect you. If you're talking about the headers the SP is
>handling, then sure, but by definition you aren't, since you're assuming
>that one could omit the application from it. So assuming you mean a custom
>header the application is relying on, that would be a bug in the
>application to assume such a header were meaningful.
>
>The connector that WebLogic provides for Apache automatically proxies all
>headers the client sends to WebLogic, so anything spoofed would get there
>anyway.
>
>Note that you have a general point, which is that it's asking for security
>issues to selectively do this anyway, for other reasons. But this would be
>a more specific flaw that would bite you regardless.
>
>-- Scott
>
>
>--
>To unsubscribe from this list send an email to
>users-unsubscribe at shibboleth.net



More information about the users mailing list