Uploaded image for project: 'SX Spring Security Extension'
  1. SX Spring Security Extension
  2. SES-42

Proxied requests for metadata do not reflect host header requested

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Complete
    • Affects Version/s: saml-1.0.0
    • Fix Version/s: saml-1.0.0.RC1
    • Component/s: saml
    • Labels:
      None
    • Environment:
      Jetty instance proxied by Pound (http://www.apsis.ch/pound/) reverse proxy. Proxy server responds to requests for multiple virtual hostnames (server1.example.com, server2.example.com, etc).

      Description

      The current implementation caches the first request for metadata. As a result, requests subsequent to the initial request receive metadata referencing an invalid SP hostname in the event that the request is to a different host than the initial request. That is, if the first request is to server1 then all requests for metadata will reference server1 even if server2 was requested.

        Activity

        Hide
        robmoore Rob Moore added a comment -

        I should have mentioned that I believe this will be an issue for non-proxied servers as well. Really any server that responds to requests for multiple hostnames will run into this issue.

        Show
        robmoore Rob Moore added a comment - I should have mentioned that I believe this will be an issue for non-proxied servers as well. Really any server that responds to requests for multiple hostnames will run into this issue.
        Hide
        gwa GWA added a comment -

        I've made a patch (patch_entityid.patch) that resolve some part of this issue:

        You can now add to the metadata filter a property (forcedEntityId) that will override URL found

        For instance, if 'http://www.myserver.com/myapplication' id behind a reverse proxy, then the entity id (and base url) will be calculated based on the server inner address (say server-00005.inner.domain)
        User cannot access directly to server-0005.inner.domain so no authentication is possible.
        If you add the forcedEntityId,(see below) metadata will have a correct base url for the user.

        <bean id="metadataFilter" class="org.springframework.security.saml.metadata.MetadataDisplayFilter">
        <property name="manager" ref="metadata"/>
        <property name="generator" ref="metadataGenerator"/>
        <property name="filterSuffix" value="/saml/metadata"/>
        <property name="forcedEntityId" value="http://www.myserver.com/myapplication" />
        </bean>

        This issue is also about virtual hosting ONE application. I believe this is a mistake.
        To resolve this, you'd rather redirect each of your virtual host to the main host.

        If your server has several application, each on a specific host, this patch will help you to resolve your issue

        Show
        gwa GWA added a comment - I've made a patch (patch_entityid.patch) that resolve some part of this issue: You can now add to the metadata filter a property (forcedEntityId) that will override URL found For instance, if 'http://www.myserver.com/myapplication' id behind a reverse proxy, then the entity id (and base url) will be calculated based on the server inner address (say server-00005.inner.domain) User cannot access directly to server-0005.inner.domain so no authentication is possible. If you add the forcedEntityId,(see below) metadata will have a correct base url for the user. <bean id="metadataFilter" class="org.springframework.security.saml.metadata.MetadataDisplayFilter"> <property name="manager" ref="metadata"/> <property name="generator" ref="metadataGenerator"/> <property name="filterSuffix" value="/saml/metadata"/> <property name="forcedEntityId" value="http://www.myserver.com/myapplication" /> </bean> This issue is also about virtual hosting ONE application. I believe this is a mistake. To resolve this, you'd rather redirect each of your virtual host to the main host. If your server has several application, each on a specific host, this patch will help you to resolve your issue
        Hide
        vsch Vladimir Schäfer added a comment -

        You can set property entityBaseURL on thee metadataGenerator you pass to metadataFilter. This will override the baseURL which would be otherwise calculated based on the current request.

        Show
        vsch Vladimir Schäfer added a comment - You can set property entityBaseURL on thee metadataGenerator you pass to metadataFilter. This will override the baseURL which would be otherwise calculated based on the current request.

          People

          • Assignee:
            vsch Vladimir Schäfer
            Reporter:
            robmoore Rob Moore
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development