...
Note that it's certainly possible to do all this with IIS, but it is not recommended and is beyond the scope of this example.
Info | |
---|---|
title | GrailsIf you are using the Grails framework to develop Spring based Groovy/Java web applications, another option is to integrate your container with Spring Security Core and try out the Spring Security Shibboleth Native SP plugin. The documentation is available here. |
...
Assuming AJP, This step depends on your servlet container, but Tomcat and its derivatives have an AJP connector commented out by default.
Setting the
tomcatAuthentication="false"
attribute on the AJP<Connector>
element allowsREMOTE_USER
to be automatically set based on what Apache has set. See Tomcat's AJP Connector documentation for more details.
Be careful that there is no direct HTTP listener opened by the servlet container.
...
Service Providers that leverage many attributes or receive many attribute values can expect to exceed the default maximum AJP packet size (8kb). In order to prevent this, raise the maximum AJP packet size to 65kb (maximum allowed by the AJP protocol) or whatever value in between makes sense.This value should be specified both in Apache and your servlet container configuration.
Tomcat: Add a
packetSize="65536"
to the AJP<Connector>
element.Apache with mod_jk: Add a worker.<name>.max_packet_size directive to the worker definition.
Code Block worker.<name>.max_packet_size=65536
Apache with mod_proxy_ajp: Add a ProxyIOBufferSize directive to Apache's configuration.
Code Block ProxyIOBufferSize 65536
...
Since environment variables are not passed by mod_proxy_ajp
unless they have AJP_
prefixes, you'll also need to add attributePrefix="AJP_"
to the <ApplicationDefaults>
(or in rare cases an appropriate <ApplicationOverride>
) element in your configuration:
Code Block | xml | xml
---|
<ApplicationDefaults id="default" policyId="default" entityID="https://sp.example.org/shibboleth" REMOTE_USER="eppn persistent-id targeted-id" attributePrefix="AJP_"> |
In a Java web application, environment variables can be accessed by calling the HttpServletRequest.getAttribute
method. Note that Tomcat's implementation of the getAttributeNames
method is broken, as described in the following thread in the Shibboleth users mailing list.
Warning |
---|
Struts 2 IssueWhen deploying an application written using the Struts 2 framework, see the Java example section on the attribute access page for an issue with retrieving attribute values with certain problematic names. |
...