Shibboleth Developers

["Howard Gilbert" <>]

The sample SP config file has always contained a RequestMap example where the "admin" subdirectory of "secure" is assigned to a different Application

 

<RequestMap applicationId="default">

  <Host name="sp.example.org">

      <Path name="secure" authType="shibboleth" requireSession="true" exportAssertion="true">

        <!-- a subfolder on the SSL port assigned to a separate <Application> -->

        <Path name="admin" applicationId="foo-admin"/>

      </Path>

  </Host>

</RequestMap>

 

While I am sure this is an interesting example, it has a massive architectural impact on complexity and efficiency. If I could assume that every Web Application context had a single Shib Application element (which makes a lot of sense in Java terms) then the Filter can obtain and cache a lot of parameterization from the Shib Application. This example, however, forces the RM Filter to regard Application affiliation as a feature of the individual request and forces it to refetch the data for each operation.

 

If you want to have another Application (Shib), you should site it in another Web Application (WAR), not in a subdirectory of some existing WAR. Or at least that is a restriction that I would propose to add to the Java SP unless someone would like to defend this RequestMap example as a valuable real world feature.