Shibboleth Developers

["Scott Cantor" <>]

> I then copied ApacheRequestMapper, leaving out the Apache specific
> stuff, uncommented the line above, and my methods are called... Do you
> know what's wrong?

My guess is the RequestMap properties you need aren't set, or you've
incorrectly supplied the URL components to the system and it doesn't match
the map. native.log will show the URL passed into the mapper on DEBUG.

> Also let me see if I get the functions right:
> 
> doCheckAuthN - check if a session is needed, redirect if necessary,
> write headers if not

What headers? All it does is handle session validation.

> doExportAssertions - write assertions in request headers if enabled

That's where the headers are written.

> doCheckAuthZ - ? check if attributes have the correct value 
> as per AAP.xml ?

No, it's for authz hooks, i.e. htaccess or Shibboleth ACL plugins. Has
nothing to do with the AAP process, that's not an authz function.

All checkAuthZ does is populate the session information if it's not fetched
yet, and check for an ACL plugin in the RequestMap. Anything else is left to
whatever code called it.

> So.. When a request arrives:
> 
> if the uri is *.sso {
>     doHandler();
> } else {
>     doCheckAuthN();
>     doExportAssertions();
>     doCheckAuthZ();
> }
> 
> Right? ...

I guess, sort of. It depends on the server API, and I don't know that
server's internals. You can't just hardcode *.sso, it's not that simple. It
depends on how resource virtualization in the server is implemented, and it
depends on the actual handlerURL set for the resources in question.

I canonicalize the URL and determine the effective handlerURL, and then
figure out what's supposed to happen. Otherwise you'll block access to the
handler with the session check.

> As long as I don't have to sacrifice a goat. :) Where is this 
> agreement?

http://members.internet2.edu/intellectualproperty.html#appendix_c

-- Scott