Check shibboleth SP session on application level

Akshay Vadher akshay.vadher at
Fri May 22 05:45:16 EDT 2015

The question may sound odd, but I have a worst case scenario.

My application server is on  <>
(say it app-server) and http-apache server is on <> (say it http-server). Both are different

I know app-server shouldn't directly accessible publically, but let's assume
it is publically accessible. Now Shibboleth is installed on http-server ,
securing path <> . While one servlet is mapped to get
attributes from path /secure.

If someone manages to create fake http-apache-server (say fake-http-server)
and that too points to app-server. So here fake-http-server can directly
have access to /secure path and that server can manually send
shibboleth-like attributes and can login in system without protection.

My question here is, Is there a mechanism in Shibboleth where I can check
the shibboleth session in my application - not only in http layer.



Question is here -  too


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list