mace-opensaml-users - Re: [OpenSAML] SAML and load balancing
Subject: OpenSAML user discussion
List archive
- From: Scott Cantor <>
- To:
- Subject: Re: [OpenSAML] SAML and load balancing
- Date: Sun, 28 Sep 2008 10:48:24 -0400
What we did is wrap the servlet request in a custom servlet request subclass. This subclass is identical to the original servlet request, except it allows for a configurable host name. An ugly hack for something that will occur in a lot of production environments (Load balancers, SSL offloaders, application firewalls).
The hack is not relying on the container to supply the "logical" endpoint information. If you can't trust the servlet container, then no application running behind it can generate redirects to itself without using a bunch of similar hacks.
If your container doesn't support virtual hosting (overriding the physical scheme/host/port), your container is broken. AFAIK, Tomcat supports that, and I would imagine most commercial containers do.
So, yes, your hack isn't a good solution. The library should be relying on the container, and so should your applications.
-- Scott
- SAML and load balancing, Bailo, John, 09/27/2008
- Re: [OpenSAML] SAML and load balancing, Scott Cantor, 09/27/2008
- Re: [OpenSAML] SAML and load balancing, Dieter Houthooft, 09/28/2008
- Re: [OpenSAML] SAML and load balancing, Scott Cantor, 09/28/2008
- Re: [OpenSAML] SAML and load balancing, Dieter Houthooft, 09/28/2008
- RE: [OpenSAML] SAML and load balancing, Scott Cantor, 09/28/2008
- Re: [OpenSAML] SAML and load balancing, Chad La Joie, 09/28/2008
- RE: [OpenSAML] SAML and load balancing, Bailo, John, 09/29/2008
- Re: [OpenSAML] SAML and load balancing, Chad La Joie, 09/28/2008
- RE: [OpenSAML] SAML and load balancing, Scott Cantor, 09/28/2008
- Re: [OpenSAML] SAML and load balancing, Dieter Houthooft, 09/28/2008
- Re: [OpenSAML] SAML and load balancing, Scott Cantor, 09/28/2008
Archive powered by MHonArc 2.6.16.