Why doesn't Java's request.getAttributeNames() show Shibboleth attributes?
Michael A Grady
mgrady at unicon.net
Fri Jun 19 16:53:35 EDT 2015
On Jun 19, 2015, at 2:47 PM, Cantor, Scott <cantor.2 at OSU.EDU> wrote:
>
> Those aren't headers, are you configuring things to get the data passed over as attributes (with the AJP- prefix)?
Yes, be sure to add 'attributePrefix="AJP_" ' like as follows
<ApplicationDefaults entityID="..."
REMOTE_USER="eppn persistent-id targeted-id"
attributePrefix="AJP_" >
>
>> Is this some sort of security measure? Or is the getAttributeNames()
>> method buggy on my application server? I'm using Glassfish 4.1.
>
> Ultimately it's up to Glassfish, not us.
>
>> p.s. It works just fine, by the way, to print attributes that I look
>> up one by one with this:
>>
>> request.getAttribute("Shib-Identity-Provider")
The same is true in Tomcat, they don't get listed in the enumeration of the list, but they are there if you explicitly call them. Not sure what the reason is for that behavior. Sure does seem like a bug. And, to get REMOTE_USER thru the getRemoteUser(), you may need to configure 'tomcatAuthentication="false"' on the AJP connector (or the Glassfish equivalent).
>
> I guess that answers the first question. I would say that Glassfish has a bug if that's the case.
>
> -- Scott
>
--
Michael A. Grady
IAM Architect, Unicon, Inc.
More information about the users
mailing list