OpenSAML user discussion

[Dieter Houthooft <>]

On 28 Sep 2008, at 16:48, Scott Cantor wrote:

> > What we did is wrap the servlet request in a custom servlet request  
> > subclass. This subclass is identical to the original servlet  
> > request, except it allows for a configurable host name. An ugly  
> > hack for something that will occur in a lot of production  
> > environments (Load balancers, SSL offloaders, application firewalls).
>
> The hack is not relying on the container to supply the "logical"  
> endpoint information. If you can't trust the servlet container, then  
> no application running behind it can generate redirects to itself  
> without using a bunch of similar hacks.

Redirects are translated by reverse proxies, at least in every reverse  
proxy setup I encountered so far. (But I'm still young :-)

> If your container doesn't support virtual hosting (overriding the  
> physical scheme/host/port), your container is broken. AFAIK, Tomcat  
> supports that, and I would imagine most commercial containers do.

I'm not sure you can change the scheme and port number. A quick look  
at the Tomcat doc for the Host element does not show an attribute to  
configure scheme or port number.

> So, yes, your hack isn't a good solution. The library should be  
> relying on the container, and so should your applications.


That assumption does not hold in all environments (imho). As we want  
our application to run in as many environments (good and badly  
designed ones) without fighting our way through the network and system  
operations departements, we need to be able to configure parameters  
like SAML target from within the application. I believe this to be  
genuine use case.

If you don't share the same vision, no problem, no hard feelings. Hey  
this is open source so I'm not expecting anything and we have a work  
around. So until our visions align one day, we'll keep hacking :-)  
Thanks for the challenging.

cheers,
Dieter.