Skip to Content.
Sympa Menu

shibboleth-dev - RE: [Shib-Dev] experiences with 2.1

Subject: Shibboleth Developers

List archive

RE: [Shib-Dev] experiences with 2.1


Chronological Thread 
  • From: "Scott Cantor" <>
  • To: <>
  • Subject: RE: [Shib-Dev] experiences with 2.1
  • Date: Sun, 23 Nov 2008 13:22:37 -0500
  • Organization: The Ohio State University

> First, I was losing my session information after a trip through a jsp
page.
> This turned out to be due to 1) 2.1 writes an extra cookie, and 2) I had a
> 1.3 shib SP loaded on my Apache server in front of the IdP, and 3) the 1.3
> SP merges Set-Cookie headers (fixed in 2.0), and 4) most browsers cannot
> deal with merged cookie headers. Fixed this by dropping the SP. Suspect
> most people don't have an SP in front of their IdP.

There's no reason to be using 1.3 regardless.

> Second, recall that in order to work with CardSpace we had to set the "no
> linebreaks" option in xmlsec. It turns out that xmlsec version 1.4.2,
while
> supporting that feature, also ignores linebreaks in the SignatureValue
> elements. Old 1.4.1 left these with linebreaks intact. Seems that
neither
> classic CardSpace nor the new CardSpace 'Geneva' accept the new, 1.4.2 no-
> linebreaks. By contrast DigitalMe ignores linebreaks and accepts all
> formats.

We should use a compliant implementation, with absolutely no work-arounds,
and that's it. If that fails, report the bug and move on. If it prevents
Cardspace from even working, the technology is useless until it's been
fixed.

There is no room for compromise on this issue. I think that should be clear
by now. XML Signature is too complex to play these games, and you can't win.

> The new 'Geneva' does accept the 1.4.2 xml with linebreaks left in. But
it
> insists on requesting metadata, the mex resource, by doing a GET with
> content following the request. Most everyone, except ws-transfer, thinks
> this is bogus and Apache drops the content. Thus the GET doesn't work.

There's nothing in HTTP that disallows a request body on a GET, AFAIK. I'd
be surprised if Apache just drops the body. Are you sure it's not Tomcat
doing that?

-- Scott





Archive powered by MHonArc 2.6.16.

Top of Page