[Koha-bugs] [Bug 17776] Shibboleth Authentication is broken in plack
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Fri Sep 28 10:43:59 CEST 2018
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17776
--- Comment #32 from Matthias Meusburger <matthias.meusburger at biblibre.com> ---
About comment#27, I tried to spoof HTTP headers with firefox's "Modify Header
Value (HTTP Headers)" extension (
https://addons.mozilla.org/fr/firefox/addon/modify-header-value ) and got the
following message:
"opensaml::SecurityPolicyException
The system encountered an error at Fri Sep 28 08:33:58 2018
To report this problem, please contact the site administrator at
root at localhost.
Please include the following message in any email:
opensaml::SecurityPolicyException at
(https://catalogue.koha-shib/cgi-bin/koha/opac-user.pl)
Attempt to spoof header (AJP_Login) was detected."
So basic spoofing doesn't work.
However, I'm no security expert, so if anyone thinks that we should add more
control mechanisms to the stack we recommand (Apache / mod_shib / plack),
please say so.
For all the other stacks (IIS, Sun/iPlanet, etc.), we should clearly mention in
the documentation that control mechanisms are needed.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list