Shibboleth Developers

[Chad La Joie <>]

Scott Cantor wrote:
> > Here's my question though, if we just pass the client-cert auth 
> > employing request on, with the SSL info in the appropriate headers, for 
> > the IdP to verify are we weakening the security that people expect from 
> > the client-cert authentication?  Also, are the headers that we're 
> > placing this data in defined in a standard (HTTPS standard perhaps)?
>
>
> The J2EE spec defines a request parameter where the certificate ends up.
> It's not actually a header, in the normal sense. I have no idea how to
> inject that, but presumably we'd be able to let Tomcat do that as usual.
>
> As far as security, well, I would imagine you're right (though how many
> people are we talking about?), but then again, couldn't we set things up so
> that one vhost did this and another didn't?

It wouldn't be a virtual host, it would just be a different Tomcat 
Connector.  One with the config to pass everything to the IdP and one 
with some other config you'd want.  Virtual hosts are configured 
independently of the connectors.

Unfortunately this leads to some odd behavior.  Assume I define 
connector443 to handle normal SSL requests (perhaps with standard 
client-cert auth) and then define connector8443 to handle request in the 
special manner we're talking about.  Now I define VHost1 and VHost2. 
Both hosts end up taking requests from both connectors (ports).  This 
obviously has some pretty steep security implications.

--
Chad La Joie             315Q St. Mary's Hall
Project Sentinel         202.687.0124