2

I have encountered a weird problem when working with Shibboleth authentication running on Apache and when Tomcat7 running on the back end, Apache sends everything through mod_proxy_ajp. And so it does with parameters from Shibboleth.

In the documentation it is explicitly stated that AJP sends only attributes with prefix attributePrefix="AJP_" and that a developer should not take shortcuts and enable sending auth attributes through HTTP headers: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSpoofChecking

I try to retrieve attributes using

HttpServletRequest req = (HttpServletRequest) FacesContext.getCurrentInstance()
                         .getExternalContext().getRequest();

Enumeration<String> e = req.getAttributeNames();

But no matter what I try, no Shibboleth attributes ever show up.

The Guy with The Hat
  • 10,836
  • 8
  • 57
  • 75
David Polák
  • 1,581
  • 4
  • 18
  • 33

1 Answers1

4

After two hours of trying to find out what I was doing wrong. I tried to retrieve attribute by name using.

req.getAttribute("uid");

And for some reason that works. Even though the "uid" isn't listed in getAttributeNames();

It smells like a bug, or mistimed communication somewhere between AJP and Spring or JSF...

David Polák
  • 1,581
  • 4
  • 18
  • 33
  • Actually using req.getAttribute("uid") is documented at https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAttributeAccess#NativeSPAttributeAccess-Tool-SpecificExamples for Java. - Also this is interesting https://stackoverflow.com/questions/38974233/shibboleth-sp-reading-assertion-attributes-from-java – JacquesLeRoux Sep 12 '17 at 07:30