Shibboleth Developers

[Chad La Joie <>]

Scott Cantor wrote:
>> It wouldn't be a virtual host, it would just be a different Tomcat
>>  Connector.  One with the config to pass everything to the IdP and
>> one with some other config you'd want.  Virtual hosts are
>> configured independently of the connectors.
> 
> 
> Ah, right. Boo. Somebody should explain to them why that's not
> correct.

Yeah, it'd be nice if it worked something like Apache.  You could define
connectors either a global level and every host used them, or define
them within a host and only that host used it.

>> Unfortunately this leads to some odd behavior.  Assume I define 
>> connector443 to handle normal SSL requests (perhaps with standard 
>> client-cert auth) and then define connector8443 to handle request
>> in the special manner we're talking about.  Now I define VHost1 and
>> VHost2. Both hosts end up taking requests from both connectors
>> (ports).  This obviously has some pretty steep security
>> implications.
> 
> 
> Yeah. Well, I guess I'm not the best person to be driving this, but
> it seems like even if this was something you couldn't use with client
> authentication, it wouldn't be useless as a starting point.

I don't disagree, and I wasn't necessarily looking for you to drive it.
 I just wanted to get a possible security risk out and on the table for
discussion.

> 
> We could also maybe have the custom connector export some additional
> data into the pipeline that would signal the code running behind the
> vhost what it did.

The problem with this approach is that while our code would know to look
for this data other code would not.  I'll investigate this stuff
further, and will probably ping the tomcat list with some questions when
I know a bit more.

-- 
Chad La Joie             315Q St. Mary's Hall
Project Sentinel         202.687.0124