shibboleth-dev - RE: 2.0 IdP w/NO apache, security policy fails
Subject: Shibboleth Developers
List archive
- From:
- To:
- Subject: RE: 2.0 IdP w/NO apache, security policy fails
- Date: Thu, 13 Dec 2007 07:29:53 -0500
> ... which isn't consistent with what I said above.... once I removed
the cert, I would have expected a tomcat level failure.... any chance
the browser might cache the client cert somewhere? Or load them at
startup?
The handshake is almost certainly cached. After the handshake, the cached
session on the server contains the certificate, and it will replay it to the
servlet each time.
Whether it's cached on the client depends on the browser. If it's on disk,
which some stacks allow, even restarting the browser wouldn't break the
session for a little while.
I took Rod's advice, and, on the Connector for 8443, changed the clientAuth value from true to want.
This improved things considerably. Processing of the AuthnRequest proceeded correctly, and the IdP moved on to authN processing (I'm currently doing this within tomcat, with JAAS.)
One oddity -- tomcat redirected me here for authN processing (with apache in front, I seem to recall that it used the DNS name for the host):
https://128.148.46.37:8443/idp/login.jsp
and then caught a NP exception -- see log snippet below:
https://128.148.46.37:8443/idp/Authn/UserPassword
07:13:11.013 DEBUG [edu.internet2.middleware.shibboleth.idp.authn.provider.RemoteUserAuthServlet:162] - Successfully authenticated user stc
07:13:11.015 DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:84] - Returning control to authentication engine
07:13:11.017 ERROR [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:88] - User HttpSession did not contain a login context. Unable to return to authentication engine
07:13:11.019 ERROR [org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/idp].[UsernamePasswordAuthHandler]:260] - Servlet.service() for servlet UsernamePasswordAuthHandler threw exception
java.lang.NullPointerException
at edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine.returnToAuthenticationEngine(AuthenticationEngine.java:90)
at edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet.service(UsernamePasswordLoginServlet.java:101)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
- 2.0 IdP w/NO apache, security policy fails, Steven_Carmody, 12/12/2007
- RE: 2.0 IdP w/NO apache, security policy fails, Scott Cantor, 12/12/2007
- RE: 2.0 IdP w/NO apache, security policy fails, Steven_Carmody, 12/12/2007
- Re: 2.0 IdP w/NO apache, security policy fails, Brent Putman, 12/12/2007
- RE: 2.0 IdP w/NO apache, security policy fails, Scott Cantor, 12/12/2007
- Message not available
- Re: 2.0 IdP w/NO apache, security policy fails, Brent Putman, 12/12/2007
- RE: 2.0 IdP w/NO apache, security policy fails, Scott Cantor, 12/12/2007
- Re: 2.0 IdP w/NO apache, security policy fails, Brent Putman, 12/12/2007
- Re: 2.0 IdP w/NO apache, security policy fails, Steven_Carmody, 12/12/2007
- RE: 2.0 IdP w/NO apache, security policy fails, Scott Cantor, 12/12/2007
- RE: 2.0 IdP w/NO apache, security policy fails, Steven_Carmody, 12/13/2007
- RE: 2.0 IdP w/NO apache, security policy fails, Scott Cantor, 12/12/2007
- Re: 2.0 IdP w/NO apache, security policy fails, Brent Putman, 12/12/2007
- RE: 2.0 IdP w/NO apache, security policy fails, Steven_Carmody, 12/12/2007
- RE: 2.0 IdP w/NO apache, security policy fails, Scott Cantor, 12/12/2007
Archive powered by MHonArc 2.6.16.