Shibboleth Developers

[Chad La Joie <>]

Tom Scavo wrote:
>>For now though, the goal is just to get a standalone Tomcat server to
>>behave like an Apache/Tomcat set up.
> 
> 
> But as you said, mucking with the container is non-portable.  Could
> you write a filter that sits in front of the IdP and does the same
> thing to the request that apache is doing now (whatever that is)?

Nope, because it's the container doing the "bad" thing, namely trying to
validate the certificate against it's trust store.  Since the trust
store doesn't have the cert chain(s) in them (they're in the metadata)
this will fail.  Apache allows you to just pass the cert on, presumably
so that your code can take care of the checking.  Since the invocation
of a filter would happen after Tomcat did the initial request processing
the filter would never fire because the request wouldn't get to it.
-- 
Chad La Joie             315Q St. Mary's Hall
Project Sentinel         202.687.0124