Shibboleth Developers

["Scott Cantor" <>]

> A Servlet Filter can't add headers to the Request object it gets, but what
> it can do is generate a RequestWrapper object that wraps the original
> request and intercepts particular calls, such as the ones that return HTTP
> Headers, to return artificial "headers" you create.

Interesting. That seems like a strange limitation, but I guess the end
result is the same.

> I have to be skeptical about an endorsement of Headers from someone who
> works with ISAPI and Apache mod-xxx code where, because headers are in
> HTTP, they are about the only plausible choice available on bare 
> Web servers.

I turn it around...what does a "getAttribute()" API provide that this
approach doesn't? Custom APIs should provide value over and above portable
ones, or they lose on all counts, IMHO.

> It's something like a database administrator who says, "Have you
> considered tables?" That said, I have to agree that there is nothing
> better in a current or proposed standard. So I will map a header where 
> there is a Header attribute in the AAP, and maybe I will create some
> dictionary for those who like to lookup attributes with the raw URN, or
> where the Header attribute is missing for the attribute.

That's not unreasonable, certainly. The real theory behing the header
approach is that I'm used to using a Web-ISO that already maps attributes to
headers. Allowing custom mapping of attributes allows me to emulate that
interface as I need to. I could certainly have (and maybe should) do some
kind of "default" export if there's no header specified, and just transform
the URI somehow into an HTTP header name.

> Of course what we really want is to be able to apply XACML or something to
> the attributes, but that is for sometime in the future.

You may note that the exportAssertion option isn't able to export more than
one assertion in my code, which is something that needs to be dealt with at
some point. I'm not sure there's a great answer, short of something simple,
like exporting a count, and then headers like "Shib-Attributes-1", etc.

-- Scott