Shibboleth Developers

[André Cruz <>]

Scott Cantor wrote:
> No, you would just leave the RequestMap in shibboleth.xml as the master. The
> Apache module hijacks that plugin type to get it to build a version that
> combines commands from different sources.
>
>   
I thought I needed to implement IRequestMapper because without it my
ShibTarget methods are not invoked. Let me try to explain... During the
initialization if I comment this line:

     
//SAMLConfig::getConfig().getPlugMgr().regFactory(shibtarget::XML::NativeRequestMapType,&ApacheRequestMapFactory);

then doCheckAuthN() returns true on the first element and
returnDecline() on the second element. Also my ShibTarget method are not
called...

I then copied ApacheRequestMapper, leaving out the Apache specific
stuff, uncommented the line above, and my methods are called... Do you
know what's wrong?

Also let me see if I get the functions right:

doCheckAuthN - check if a session is needed, redirect if necessary,
write headers if not
doExportAssertions - write assertions in request headers if enabled
doCheckAuthZ - ? check if attributes have the correct value as per AAP.xml ?
doHandler - handle *.sso

So.. When a request arrives:

if the uri is *.sso {
    doHandler();
} else {
    doCheckAuthN();
    doExportAssertions();
    doCheckAuthZ();
}

Right? ...
> Your main job is getting the module to run and supplying the right canonical
> URL information to the ShibTarget layer. That's your main job. If the client
> can spoof the URL that is passed to the mapping layer, then the RequestMap
> is useless.
>
>
>   
This I've already done.

> That would be nice, but you'd have to sign the Internet2 contributor's
> agreement before we could accept any code.
>
>
>   
As long as I don't have to sacrifice a goat. :) Where is this agreement?


Thanks for your time,
André

Attachment: signature.asc
Description: OpenPGP digital signature