javaapachetomcat7shibbolethajp

Retrieving Shibboleth attributes from AJP connector request


I have encountered a weird problem when working with Shibboleth authentication running on Apache and when Tomcat7 running on the back end, Apache sends everything through mod_proxy_ajp. And so it does with parameters from Shibboleth.

In the documentation it is explicitly stated that AJP sends only attributes with prefix attributePrefix="AJP_" and that a developer should not take shortcuts and enable sending auth attributes through HTTP headers: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSpoofChecking

I try to retrieve attributes using

HttpServletRequest req = (HttpServletRequest) FacesContext.getCurrentInstance()
                         .getExternalContext().getRequest();

Enumeration<String> e = req.getAttributeNames();

But no matter what I try, no Shibboleth attributes ever show up.


Solution

  • After two hours of trying to find out what I was doing wrong. I tried to retrieve attribute by name using.

    req.getAttribute("uid");
    

    And for some reason that works. Even though the "uid" isn't listed in getAttributeNames();

    It smells like a bug, or mistimed communication somewhere between AJP and Spring or JSF...