Skip to Content.
Sympa Menu

mace-opensaml-users - Re: [OpenSAML] SAML and load balancing

Subject: OpenSAML user discussion

List archive

Re: [OpenSAML] SAML and load balancing


Chronological Thread 
  • From: Scott Cantor <>
  • To:
  • Subject: Re: [OpenSAML] SAML and load balancing
  • Date: Sun, 28 Sep 2008 10:48:24 -0400

What we did is wrap the servlet request in a custom servlet request subclass. This subclass is identical to the original servlet request, except it allows for a configurable host name. An ugly hack for something that will occur in a lot of production environments (Load balancers, SSL offloaders, application firewalls).

The hack is not relying on the container to supply the "logical" endpoint information. If you can't trust the servlet container, then no application running behind it can generate redirects to itself without using a bunch of similar hacks.

If your container doesn't support virtual hosting (overriding the physical scheme/host/port), your container is broken. AFAIK, Tomcat supports that, and I would imagine most commercial containers do.

So, yes, your hack isn't a good solution. The library should be relying on the container, and so should your applications.

-- Scott



Archive powered by MHonArc 2.6.16.

Top of Page