Use HTTP verb in Service Provider request mapper
Fabien BERTEAU
fabien.berteau at manomano.com
Thu Oct 21 13:00:55 UTC 2021
All this is precisely the subject of a prototype. It should allow us to
validate these hypotheses.
I know how to use Shibboleth to protect classical server side applications
but I am a newbie about protecting a SPA.
Do you have documentation on how to do that ?
Fabien
Fabien Berteau | Security Architect
Bordeaux
fabien.berteau at manomano.com <aurelien.lajoie at manomano.com>
Le jeu. 21 oct. 2021 à 14:56, Cantor, Scott <cantor.2 at osu.edu> a écrit :
> On 10/21/21, 8:51 AM, "users on behalf of Fabien BERTEAU" <
> users-bounces at shibboleth.net on behalf of fabien.berteau at manomano.com>
> wrote:
>
> > I thought I could avoid ECP in our SPAs by forcing the user to
> authenticate in order to download the SPA
> > (classic SP initiated browser flow), then by embedding the SP session
> cookie during each call to a web service
> > based on XMLHTTPRequest (same domain, so the browser should add it ?).
> Am I wrong ?
>
> That might work (assuming you change the cookie properties to strip out
> HttpOnly), but only until it times out. Most of the time that falls apart
> later on because of the limitations of those Ajax requests and the error
> handling, but to be clear I didn't realize you meant you were making Ajax
> calls, I assumed it was just a web service.
>
> -- Scott
>
>
> --
> For Consortium Member technical support, see
> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20211021/2dbecc8a/attachment.htm>
More information about the users
mailing list