getInboundMessageTransport always returns a null value

Mark McCoy Mark.McCoy at
Wed May 27 13:00:18 EDT 2015

I’ll try switching to Oracle’s JDK instead of OpenJDK and let everyone know if I see a difference.


From: users on behalf of Brent Putman
Reply-To: Shib Users
Date: Tuesday, May 26, 2015 at 5:06 PM
To: "users at<mailto:users at>"
Subject: Re: getInboundMessageTransport always returns a null value

On 5/26/15 11:49 AM, Mark McCoy wrote:
We are trying to add a check on the user’s IP address to determine whether or not the user is coming from on or off campus.

In a scripted attribute, I’ve tried to use the following calls to get the user’s IP address.

For the record, on what type of SAML request flow do you see it not working correctly:  SAML 1 vs 2?  Front-channel vs back-channel attribute query?  Everything?

Every call results in the getInboundMessageTransport() returning a null value, which obviously causes the getPeerAddress() call to fail. Other calls to methods contained within the requestContext succeed (example, the getEntityId() call works fine).

Well, I tested the basic SAML 2 front-channel authN request flow case, and it worked ok for me.  I just did some logging of various bits:


logger = LoggerFactory.getLogger("BRENT.script-test");

logger.debug("Inbound message issuer: {}", requestContext.getInboundMessageIssuer());
logger.debug("Peer entityID: {}", requestContext.getPeerEntityId());
logger.debug("Inbound message transport: {}", requestContext.getInboundMessageTransport());
logger.debug("Inbound transport peer address: {}", requestContext.getInboundMessageTransport().getPeerAddress());

The inbound transport was as expected an instance of the servlet request adapter, and the peerAddress was available:

17:51:54.208 - DEBUG [BRENT.script-test:-2] - Inbound message issuer:
17:51:54.211 - DEBUG [BRENT.script-test:-2] - Peer entityID:
17:51:54.212 - DEBUG [BRENT.script-test:-2] - Inbound message transport: at 4eae78e5
17:51:54.212 - DEBUG [BRENT.script-test:-2] - Inbound transport peer address:

try {
   var ipAddress = requestContext.getInboundMessageTransport().getPeerAddress();
} catch (err) {
   var ipAddress = 'unavailable'
   logger.warn(pre + err);
logger.debug(pre + "ipAddress = " + ipAddress);

Off-hand I don't spot any typos etc there, but I'd double-check what you actually have in the script.

Any suggestions?

Nothing other than just checking for typos, making sure you've restarted after making all changes, etc.   I don't think that the inboundMessageTransport property on the context can ever be null.  That's fundamentally how the HttpServletRequest is accessed and processed.  So I think you have something else amiss here.  Maybe try copy/pasting my above logging code directly, and see what results you get.

I suppose it could be some sort of weird scripting bug we haven't encountered yet. Actually, I note you said you're using OpenJDK  We have had reports of various weird bugs that went away when OpenJDK was switched out for Oracle JDK ,etc.  So I guess you might try that.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list