I have encountered a weird problem when working with Shibboleth authentication running on Apache and when Tomcat7 running on the back end, Apache sends everything through mod_proxy_ajp. And so it does with parameters from Shibboleth.
In the documentation it is explicitly stated that AJP sends only attributes with prefix attributePrefix="AJP_"
and that a developer should not take shortcuts and enable sending auth attributes through HTTP headers: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSpoofChecking
I try to retrieve attributes using
HttpServletRequest req = (HttpServletRequest) FacesContext.getCurrentInstance()
.getExternalContext().getRequest();
Enumeration<String> e = req.getAttributeNames();
But no matter what I try, no Shibboleth attributes ever show up.
After two hours of trying to find out what I was doing wrong. I tried to retrieve attribute by name using.
req.getAttribute("uid");
And for some reason that works. Even though the "uid"
isn't listed in getAttributeNames();
It smells like a bug, or mistimed communication somewhere between AJP and Spring or JSF...