Shibboleth Developers

[Chad La Joie <>]

Tom Scavo wrote:
> On 6/14/05, Chad La Joie 
> <>
>  wrote:
> 
>>Tom Scavo wrote:
>>
>>>>For now though, the goal is just to get a standalone Tomcat server to
>>>>behave like an Apache/Tomcat set up.
>>>
>>>But as you said, mucking with the container is non-portable.  Could
>>>you write a filter that sits in front of the IdP and does the same
>>>thing to the request that apache is doing now (whatever that is)?
>>
>>Nope, because it's the container doing the "bad" thing, namely trying to
>>validate the certificate against it's trust store.  Since the trust
>>store doesn't have the cert chain(s) in them (they're in the metadata)
>>this will fail.  Apache allows you to just pass the cert on, presumably
>>so that your code can take care of the checking.  Since the invocation
>>of a filter would happen after Tomcat did the initial request processing
>>the filter would never fire because the request wouldn't get to it.
> 
> 
> Can't you simply configure the AA endpoint to *not* do client authn
> (clientAuth="false")?

Then you don't have the client certificate to do any validation against.
 That said I don't know if you can or not.  I'll defer that to Walter
who knows way more about the validation code than I do (since I know
next to nothing about it).

-- 
Chad La Joie             315Q St. Mary's Hall
Project Sentinel         202.687.0124