Shibboleth Developers

["Scott Cantor" <>]

> It wouldn't be a virtual host, it would just be a different Tomcat 
> Connector.  One with the config to pass everything to the IdP and one 
> with some other config you'd want.  Virtual hosts are configured 
> independently of the connectors.

Ah, right. Boo. Somebody should explain to them why that's not correct.

> Unfortunately this leads to some odd behavior.  Assume I define 
> connector443 to handle normal SSL requests (perhaps with standard 
> client-cert auth) and then define connector8443 to handle request in the 
> special manner we're talking about.  Now I define VHost1 and VHost2. 
> Both hosts end up taking requests from both connectors (ports).  This 
> obviously has some pretty steep security implications.

Yeah. Well, I guess I'm not the best person to be driving this, but it seems 
like even if this was something you couldn't use with
client authentication, it wouldn't be useless as a starting point.

We could also maybe have the custom connector export some additional data 
into the pipeline that would signal the code running
behind the vhost what it did.

-- Scott