Shibboleth Developers

[Jim Fox <>]

> There's no reason to be using 1.3 regardless.

We have several 1.3 SPs around campus so I keep one for testing.

> We should use a compliant implementation, with absolutely no work- 
> arounds,
> and that's it. If that fails, report the bug and move on. If it  
> prevents
> Cardspace from even working, the technology is useless until it's been
> fixed.
>
> There is no room for compromise on this issue. I think that should  
> be clear
> by now. XML Signature is too complex to play these games, and you  
> can't win.

I'm fine with that.

> > The new 'Geneva' does accept the 1.4.2 xml with linebreaks left  
> > in.  But
> it
> > insists on requesting metadata, the mex resource, by doing a GET with
> > content following the request.  Most everyone, except ws-transfer,  
> > thinks
> > this is bogus and Apache drops the content.  Thus the GET doesn't  
> > work.
>
> There's nothing in HTTP that disallows a request body on a GET,  
> AFAIK. I'd
> be surprised if Apache just drops the body. Are you sure it's not  
> Tomcat
> doing that?

Well, I suppose I don't know.  RFC 2616 seems to suggest GET is  
entirely determined by the URI.  Most sites I find suggest GET with  
content is 'inappropriate', maybe not the same as invalid.

With Apache the content doesn't get to a cgi script either, so it's  
being lost somewhere.. I guess I'll look deeper.

Jim