getInboundMessageTransport always returns a null value

Brent Putman putmanb at georgetown.edu
Tue May 26 18:06:00 EDT 2015 


On 5/26/15 11:49 AM, Mark McCoy wrote:
> We are trying to add a check on the user’s IP address to determine
> whether or not the user is coming from on or off campus.
>
>
> In a scripted attribute, I’ve tried to use the following calls to get
> the user’s IP address.


For the record, on what type of SAML request flow do you see it not
working correctly:  SAML 1 vs 2?  Front-channel vs back-channel
attribute query?  Everything?


> Every call results in the getInboundMessageTransport() returning a
> null value, which obviously causes the getPeerAddress() call to fail.
> Other calls to methods contained within the requestContext succeed
> (example, the getEntityId() call works fine).

Well, I tested the basic SAML 2 front-channel authN request flow case,
and it worked ok for me.  I just did some logging of various bits:

importPackage(Packages.org.slf4j);

logger = LoggerFactory.getLogger("BRENT.script-test");

logger.debug("Inbound message issuer: {}",
requestContext.getInboundMessageIssuer());
logger.debug("Peer entityID: {}", requestContext.getPeerEntityId());
logger.debug("Inbound message transport: {}",
requestContext.getInboundMessageTransport());
logger.debug("Inbound transport peer address: {}",
requestContext.getInboundMessageTransport().getPeerAddress());



The inbound transport was as expected an instance of the servlet request
adapter, and the peerAddress was available:

17:51:54.208 - DEBUG [BRENT.script-test:-2] - Inbound message issuer:
https://www.test.middleware.georgetown.edu/shibboleth
17:51:54.211 - DEBUG [BRENT.script-test:-2] - Peer entityID:
https://www.test.middleware.georgetown.edu/shibboleth
17:51:54.212 - DEBUG [BRENT.script-test:-2] - Inbound message transport:
org.opensaml.ws.transport.http.HttpServletRequestAdapter at 4eae78e5
17:51:54.212 - DEBUG [BRENT.script-test:-2] - Inbound transport peer
address: 10.212.128.228



>
>     try {
>        var ipAddress =
>     requestContext.getInboundMessageTransport().getPeerAddress();
>     } catch (err) {
>        var ipAddress = 'unavailable'
>        logger.warn(pre + err);
>     }
>     logger.debug(pre + "ipAddress = " + ipAddress);
>
>

Off-hand I don't spot any typos etc there, but I'd double-check what you
actually have in the script.



>
>
> Any suggestions?
>


Nothing other than just checking for typos, making sure you've restarted
after making all changes, etc.   I don't think that the
inboundMessageTransport property on the context can ever be null. 
That's fundamentally how the HttpServletRequest is accessed and
processed.  So I think you have something else amiss here.  Maybe try
copy/pasting my above logging code directly, and see what results you get.

I suppose it could be some sort of weird scripting bug we haven't
encountered yet. Actually, I note you said you're using OpenJDK
1.7.0.75.  We have had reports of various weird bugs that went away when
OpenJDK was switched out for Oracle JDK ,etc.  So I guess you might try
that.

--Brent


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150526/a7663026/attachment-0001.html>

More information about the users mailing list