redirectErrors configuration attribute does not handle relative URLs
Description
Environment
CentOS 5.7, Shibboleth RPMs 2.4.3-2.2, Apache 2.2.3-53
Activity
Scott Cantor March 1, 2012 at 12:25 AM
Closing with documentation added.
Scott Cantor March 1, 2012 at 12:22 AM
Scott Cantor January 18, 2012 at 1:47 AM
Never mind, that doesn't work either. I've updated both references to redirectErrors to state absolute only, and I'll treat this as a RFE to get it working, since that makes vhosting a pain.
Scott Cantor January 18, 2012 at 1:42 AM
Ah, and now my confusion is cleared up...there are two ways to set the redirectErrors feature, one that was the original "intended" way, and the other that was added as a supplement.
The way it's supposed to work is via the <Errors> element as a property instead of as a content setting. Using it there, you can use a relative URL, and it will be set at the application level, which is the usual way.
When you use it as a content setting, it's more limited, though possibly inadvertently, and is subject to these restrictions.
I didn't even remember how it worked when I mentioned it as a "content setting" in the assurance page. I'll try and clean the statements up, and I'll probably leave this open until the next release in case I want to adjust how the content setting works to clean it up.
Please try using a relative URL inside the <Errors> element.
Scott Cantor January 18, 2012 at 1:35 AM
I believe the documentation is actually wrong, it does not currently support relative URLs. I'll fix that. But I think what you're seeing isn't "redirection" to that URL, but the normal error handling template. If you get it to attempt to use a relative URL, the XSS sanitation kicks in and throws an exception inside the error handling code, and Apache throws a Server Error, with the exception in the Apache log.
I think your mistake is that your error handler setting is being applied to the content, but not the handlerURL(s), specifically the ACS. That won't work, since the effective URL being processed during the error is the ACS. Generally the error handler is an application-wide setting that has to apply to all the resources in the app, so usually it's set at the same level as the applicationId would be, or globally.
Using documentation found at https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPErrors , I attempted to use the "redirectErrors" attribute with a relative URL. When using an absolute URL such as 'redirectErrors="https://example.org/script.php"', errors were redirected to the 'script.php' handler as expected. When using a relative URL such as 'redirectErrors="script.php"', errors were instead redirected to "https://example.org/Shibboleth.sso/SAML2/POST". I tried several variations such as "/script.php", "../script.php", "/../script.php", etc., but none of them worked. So either the documentation is incorrect (i.e. relative URLs are not allowed), or there is a bug in the code which handles relative URLs.