Versions Compared

Old Version 25

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 26

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The <InProcess> element contains settings governing the portion of the SP that runs inside the web server. It also includes content specific to particular web servers that supply an inadequate native configuration mechanism. On version 2.4 and above, it is required for IIS usage, optional otherwise.

Code Block
xml
xml

<InProcess logger="native.logger" checkSpoofing="true">
    <Extensions>
        <Library path="adfs-lite.so" fatal="true"/>
    </Extensions>

    <ISAPI/>

</InProcess>

...

  • logger (local pathname) (default is native.logger on 2.4+)
    • This attribute points to a log4shib/log4cpp configuration file that defines in-process logging behavior, generally writing to the native.log file. Often this file will not appear unless permissions are changed to permit the web server process to create itIf set, this overrides theĀ logger property in theĀ <SPConfig> parent element, but if omitted (defaulted), the parent property will take precedence.
  • catchAll (boolean) (default is false)
    • If true, "global" exception handlers are used to trap crashes and other "uncontrolled" exceptions. This attempts to keep the web server process running if at all possible, but makes diagnosing bugs difficult, and can lead to unstable runtime behavior. Generally should be omitted (or set to false).
  • unsetHeaderValue (string) (default is empty string)
    • When HTTP headers are used to supply exported attributes to applications, this value will be placed into headers corresponding to attributes that are not supplied, or that have no values. Defaults to an empty string (to represent a "null" value), but may be set to a an actual value, such as "UNKNOWN".
  • checkSpoofing (boolean) (default is true)
    • If true, the SP will examine incoming headers supplied by the client and will fail the request if any of them match header names "controlled" by the SP. Do NOT disable this setting unless you have a strong reason to do so, as it may result in security vulnerabilities.
  • spoofKey (string)
    • Optional "secret" value used to prevent false alarms from the checkSpoofing option. Web servers do not generally provide a reliable means of detecting whether a request is directly from a client or has been internally redirected/rewritten in some fashion.

...