Skip to Content.
Sympa Menu

mace-opensaml-users - Re: [OpenSAML] SAML and load balancing

Subject: OpenSAML user discussion

List archive

Re: [OpenSAML] SAML and load balancing


Chronological Thread 
  • From: Dieter Houthooft <>
  • To:
  • Subject: Re: [OpenSAML] SAML and load balancing
  • Date: Sun, 28 Sep 2008 18:58:28 +0200


On 28 Sep 2008, at 16:48, Scott Cantor wrote:

What we did is wrap the servlet request in a custom servlet request subclass. This subclass is identical to the original servlet request, except it allows for a configurable host name. An ugly hack for something that will occur in a lot of production environments (Load balancers, SSL offloaders, application firewalls).

The hack is not relying on the container to supply the "logical" endpoint information. If you can't trust the servlet container, then no application running behind it can generate redirects to itself without using a bunch of similar hacks.

Redirects are translated by reverse proxies, at least in every reverse proxy setup I encountered so far. (But I'm still young :-)

If your container doesn't support virtual hosting (overriding the physical scheme/host/port), your container is broken. AFAIK, Tomcat supports that, and I would imagine most commercial containers do.

I'm not sure you can change the scheme and port number. A quick look at the Tomcat doc for the Host element does not show an attribute to configure scheme or port number.

So, yes, your hack isn't a good solution. The library should be relying on the container, and so should your applications.


That assumption does not hold in all environments (imho). As we want our application to run in as many environments (good and badly designed ones) without fighting our way through the network and system operations departements, we need to be able to configure parameters like SAML target from within the application. I believe this to be genuine use case.

If you don't share the same vision, no problem, no hard feelings. Hey this is open source so I'm not expecting anything and we have a work around. So until our visions align one day, we'll keep hacking :-) Thanks for the challenging.

cheers,
Dieter.



Archive powered by MHonArc 2.6.16.

Top of Page