Check shibboleth SP session on application level
Akshay Vadher
akshay.vadher at synoverge.com
Fri May 22 05:45:16 EDT 2015
The question may sound odd, but I have a worst case scenario.
My application server is on <http://10.10.10.10/app> http://10.10.10.10/app
(say it app-server) and http-apache server is on <http://some.dns.com/app>
http://some.dns.com/app (say it http-server). Both are different
system-server.
I know app-server shouldn't directly accessible publically, but let's assume
it is publically accessible. Now Shibboleth is installed on http-server ,
securing path <http://some.dns.com/app/secure>
http://some.dns.com/app/secure . While one servlet is mapped to get
attributes from path /secure.
If someone manages to create fake http-apache-server (say fake-http-server)
and that too points to app-server. So here fake-http-server can directly
have access to /secure path and that server can manually send
shibboleth-like attributes and can login in system without protection.
My question here is, Is there a mechanism in Shibboleth where I can check
the shibboleth session in my application - not only in http layer.
Question is here - http://stackoverflow.com/q/30374062/1534925 too
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150522/f47a4b7c/attachment.html>
More information about the users
mailing list