Shibboleth Developers

["Scott Cantor" <>]

> hands up, I agree it'd be a tad slower! but what you gain is container
> independence, i.e not having to tie shibb to Tomcat. Jetty is quite common
> out there and people swear it's faster than Tomcat.

Don't other containers support Apache? I guarantee it's faster than either
of them. Which I guess argues for your point, not mine. If you care about
performance, you're probably not interested in this scenario anyway.

So that just leaves the replay code and fitting a more complete framework
for varying the authentication layer into the codebase, care to write it?
;-)

> I just think that modifying the container will raise the barrier to entry
> for shibboleth. Raising the validation up to the message level might be
> more work for developers but at the end of the day, it's the 
> users that count.

We don't require modifying the container unless you don't want to use
Apache. I think that point is being forgotten repeatedly.

> The higher the validation goes in the stack, the lower the barrier to
> entry for shibb adopters and the lower the blood pressure all round :)

If you think signing will lower anybody's blood pressure, you should do more
of it and allow yourself to be disabused of that notion.

-- Scott