https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17776
--- Comment #28 from Martin Renvoize <[email protected]> --- (In reply to Marcel de Rooy from comment #24) > ShibUseHeaders On|Off > Defaults to "Off", this turns on the use of request headers to publish > attributes to applications. Use of this option should be avoided. Be sure to > review the topic on spoof checking if you enable it. > > You are suggesting to disable ShibUseEnvironment and enable ShibUseHeaders. > Please explain. It is not recommended.. The issue is IPC (Inter Process Communication). Koha relies upon a third party software to handle most of the complexities of Shibboleth/SAML.. The 'native service provider' package.. an apache plugin exists, mod_shibboleth, which we have been using to communicate between the native service provider code, Apache and finally koha. In CGI world, Koha runs a process per request under a forked Apache, and as such Apache and Koha share the same process environment. In the Plack world, Koha runs in a persistent process and requests are proxied from Apache to Plack (Koha); As such, no environment is shared and we have to utilize an alternative means of communicating between Koha and Apache (and therefore the native shibboleth service provider). The only other supported means of transporting that information is Headers (in mod_shibboleth). So.. to do better than this patch we either need to get rid of Apache and the native shibboleth service provider package and write our own native shibboleth handling code.. or write a plack middleware that interfaces directly with the native service provider software.. that's a pretty long way outside of my own scope for this. Personally, this isn't the 100% best fix, but it's the best we can do without basically re-writing Koha in my opinion.. With the NativeSPSpoofChecking guidance followed it's not as big an issue as many are making out in my opinion. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
