[mdx] MD Query draft question

Ian Young ian at iay.org.uk
Mon Jun 23 04:34:38 PDT 2014 

(CC'ed to the MDX list, which is where discussion of the spec is normally carried.)

On 23 Jun 2014, at 11:57, Lukas Hämmerle <lukas.haemmerle at switch.ch> wrote:

> Hi Ian
> 
> I am working on a small PHP web service that returns various information
> about an entities in different federations, including their metadata.
> 
> In that context I thought it could be beneficial to return metadata of
> the entity according to
> https://datatracker.ietf.org/doc/draft-young-md-query/?include_text=1
> section 3.2.1
> 
> Now, the "issue" there is that Apache does not support (for security
> reasons [1]) URLs that use the PATH info feature of the form:
> https://wiki.edugain.org/myScript.php/entities/https%3A%2F%2Faai-logon.switch.ch%2Fidp%2Fshibboleth
> 
> This then gets automatically translated by Apache to
> https://wiki.edugain.org/myScript.php/entities/https://aai-logon.switch.ch/idp/shibboleth
> which of course gets you a 404 or worse.

In order to conform with the current MDQ draft, you will need to change your Apache settings. Of course you can constrain that change to the .../entities path and you need to vet the resulting path carefully.

> So, I was wondering if it were possible to have the script be conforming
> with the 3.2.1 without disabling this security feature by using a URL like:
> 
> https://wiki.edugain.org/isFederatedCheck/?path=/switchaai/entities/https%3A%2F%2Faai-logon.switch.ch%2Fidp%2Fshibboleth
> 
> Basically, according to 3.2.1.
> "https://wiki.edugain.org/isFederatedCheck/?path=/switchaai" would have
> to be the baseURL to make this work. This indeed does technically work
> but my question is, would you also agree that it is according to and in
> the sense of the md-query draft?

No. Per section 2.7, the identifier is carried in the final component of the *path*, not as part of a query parameter.

It may be that we need to call out the query parameter thing as well to clarify this, in the way we already do for fragment identifiers.

> Best Regards
> Lukas
> 
> [1] http://httpd.apache.org/docs/2.2/mod/core.html#allowencodedslashes


Cheers,

	-- Ian



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5943 bytes
Desc: not available
URL: <http://lists.iay.org.uk/pipermail/mdx-iay.org.uk/attachments/20140623/2c16a201/attachment.bin>

More information about the mdx mailing list