From 5e9b0a9ccf79078da7e98c8a21cdd245b939dc42 Mon Sep 17 00:00:00 2001
From: Scott Cantor <cantor.2@osu.edu>
Date: Mon, 4 Jun 2007 13:32:08 +0000
Subject: [PATCH] Port up spoof checking

---
 apache/mod_apache.cpp                       |  57 +++++++---
 configs/Makefile.am                         |   2 -
 configs/sessionError.html                   |  12 +--
 configs/shibboleth.xml.in                   |   1 -
 schemas/shibboleth-2.0-native-sp-config.xsd | 159 ++++++++++++++--------------
 shibsp/SPRequest.h                          |   5 +-
 shibsp/ServiceProvider.cpp                  |  16 +--
 shibsp/impl/XMLServiceProvider.cpp          |  54 +++++++---
 8 files changed, 178 insertions(+), 128 deletions(-)

diff --git a/apache/mod_apache.cpp b/apache/mod_apache.cpp
index 2d77272..36a26ea 100644
--- a/apache/mod_apache.cpp
+++ b/apache/mod_apache.cpp
@@ -14,12 +14,10 @@
  * limitations under the License.
  */
 
-/*
- * mod_apache.cpp -- the core Apache Module code
- *
- * Created by:	Derek Atkins <derek@ihtfp.com>
- *
- * $Id$
+/**
+ * mod_apache.cpp
+ * 
+ * Apache module implementation
  */
 
 #define SHIBSP_LITE
@@ -63,9 +61,9 @@
 #define CORE_PRIVATE
 #include <http_core.h>
 #include <http_log.h>
+#include <http_request.h>
 
 #ifndef SHIB_APACHE_13
-#include <http_request.h>
 #include <apr_buckets.h>
 #include <apr_strings.h>
 #include <apr_pools.h>
@@ -91,6 +89,7 @@ namespace {
     char* g_szSchemaDir = SHIBSP_SCHEMAS;
     SPConfig* g_Config = NULL;
     string g_unsetHeaderValue;
+    bool g_checkSpoofing = true;
     static const char* g_UserDataKey = "_shib_check_user_";
     static const XMLCh path[] = UNICODE_LITERAL_4(p,a,t,h);
     static const XMLCh validate[] = UNICODE_LITERAL_8(v,a,l,i,d,a,t,e);
@@ -273,6 +272,7 @@ class ShibTargetApache : public AbstractSPRequest
   mutable string m_body;
   mutable bool m_gotBody;
   mutable vector<string> m_certs;
+  set<string> m_allhttp;
 
 public:
   request_rec* m_req;
@@ -387,14 +387,40 @@ public:
 #endif
     return m_body.c_str();
   }
-  void clearHeader(const char* name) {
+  void clearHeader(const char* rawname, const char* cginame) {
     if (m_dc->bUseEnvVars!=0) {
        // ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,SH_AP_R(m_req), "shib_clear_header: env\n");
-       if (m_rc && m_rc->env) ap_table_unset(m_rc->env, name);
+       if (m_rc && m_rc->env) ap_table_unset(m_rc->env, rawname);
     } else {
        // ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,SH_AP_R(m_req), "shib_clear_header: hdr\n");
-       ap_table_unset(m_req->headers_in, name);
-       ap_table_set(m_req->headers_in, name, g_unsetHeaderValue.c_str());
+        if (g_checkSpoofing && ap_is_initial_req(m_req)) {
+            if (m_allhttp.empty()) {
+                // First time, so populate set with "CGI" versions of client-supplied headers.
+#ifdef SHIB_APACHE_13
+                array_header *hdrs_arr = ap_table_elts(m_req->headers_in);
+                table_entry *hdrs = (table_entry *) hdrs_arr->elts;
+#else
+                const apr_array_header_t *hdrs_arr = apr_table_elts(m_req->headers_in);
+                const apr_table_entry_t *hdrs = (const apr_table_entry_t *) hdrs_arr->elts;
+#endif
+                for (int i = 0; i < hdrs_arr->nelts; ++i) {
+                    if (!hdrs[i].key)
+                        continue;
+                    string cgiversion("HTTP_");
+                    const char* pch = hdrs[i].key;
+                    while (*pch) {
+                        cgiversion += (isalnum(*pch) ? toupper(*pch) : '_');
+                        pch++;
+                    }
+                    m_allhttp.insert(cgiversion);
+                }
+            }
+
+            if (m_allhttp.count(cginame) > 0)
+                throw opensaml::SecurityPolicyException("Attempt to spoof header ($1) was detected.", params(1, rawname));
+        }
+        ap_table_unset(m_req->headers_in, rawname);
+        ap_table_set(m_req->headers_in, rawname, g_unsetHeaderValue.c_str());
     }
   }
   void setHeader(const char* name, const char* value) {
@@ -1122,6 +1148,9 @@ extern "C" void shib_child_init(apr_pool_t* p, server_rec* s)
         pair<bool,const char*> unsetValue=props->getString("unsetHeaderValue");
         if (unsetValue.first)
             g_unsetHeaderValue = unsetValue.second;
+        pair<bool,bool> checkSpoofing=props->getBool("checkSpoofing");
+        if (checkSpoofing.first && !checkSpoofing.second)
+            g_checkSpoofing = false;
     }
 
     // Set the cleanup handler
@@ -1326,8 +1355,8 @@ static command_rec shib_cmds[] = {
         (void *) offsetof (shib_dir_config, szRedirectToSSL),
         OR_AUTHCFG, "Redirect non-SSL requests to designated port"),
   AP_INIT_TAKE1("AuthGroupFile", (config_fn_t)shib_ap_set_file_slot,
-		(void *) offsetof (shib_dir_config, szAuthGrpFile),
-		OR_AUTHCFG, "Text file containing group names and member user IDs"),
+        (void *) offsetof (shib_dir_config, szAuthGrpFile),
+        OR_AUTHCFG, "Text file containing group names and member user IDs"),
   AP_INIT_FLAG("ShibRequireAll", (config_fn_t)ap_set_flag_slot,
         (void *) offsetof (shib_dir_config, bRequireAll),
         OR_AUTHCFG, "All require directives must match"),
@@ -1349,7 +1378,7 @@ module AP_MODULE_DECLARE_DATA mod_shib = {
 };
 
 #else
-#error "undefined APACHE version"
+#error "unsupported Apache version"
 #endif
 
 }
diff --git a/configs/Makefile.am b/configs/Makefile.am
index b59f561..790b7bf 100644
--- a/configs/Makefile.am
+++ b/configs/Makefile.am
@@ -31,7 +31,6 @@ CONFIGFILES = \
 	console.logger \
 	syslog.logger \
 	accessError.html \
-	rmError.html \
 	sessionError.html \
 	metadataError.html \
 	bindingTemplate.html \
@@ -133,7 +132,6 @@ EXTRA_DIST = \
 	console.logger \
 	syslog.logger \
 	accessError.html \
-	rmError.html \
 	sessionError.html \
 	metadataError.html \
 	sslError.html \
diff --git a/configs/sessionError.html b/configs/sessionError.html
index d9f4485..3124317 100644
--- a/configs/sessionError.html
+++ b/configs/sessionError.html
@@ -7,25 +7,25 @@
 <head>
 	<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
 	<link rel="stylesheet" type="text/css" href="<shibmlp styleSheet/>" />
-	<title>Session Creation Failure</title>
+	<title><shibmlp errorType/></title>
 </head>
 
 <body>
 <div class="head">
 <img src="<shibmlp logoLocation/>" alt="Logo" />
-<h1>Session Creation Failure</h1>
+<h1><shibmlp errorType/></h1>
 </div>
 
-<p>The inter-institutional access system was unable to successfully build a
-login session for you at <shibmlp now /></p>
+<p>The inter-institutional access system encountered an error at <shibmlp now /></p>
 
 <p>To report this problem, please contact the site administrator at
 <a href="mailto:<shibmlp supportContact/>"><shibmlp supportContact/></a>.
 </p>
 
 <p>Please include the following message in any email:</p>
-<p class="error">Session creation failure at (<shibmlp requestURL/>)</p>
-<p><shibmlp errorType/></p>
+<p class="error"><shibmlp errorType/> at (<shibmlp requestURL/>)</p>
+
+<p><shibmlp errorText/></p>
 
 </body>
 </html>
diff --git a/configs/shibboleth.xml.in b/configs/shibboleth.xml.in
index b78440a..fa73946 100644
--- a/configs/shibboleth.xml.in
+++ b/configs/shibboleth.xml.in
@@ -170,7 +170,6 @@
 		-->
 		<Errors session="@-PKGSYSCONFDIR-@/sessionError.html"
 			metadata="@-PKGSYSCONFDIR-@/metadataError.html"
-			rm="@-PKGSYSCONFDIR-@/rmError.html"
 			access="@-PKGSYSCONFDIR-@/accessError.html"
 			ssl="@-PKGSYSCONFDIR-@/sslError.html"
 			supportContact="root@localhost"
diff --git a/schemas/shibboleth-2.0-native-sp-config.xsd b/schemas/shibboleth-2.0-native-sp-config.xsd
index 2b050e7..3e60596 100644
--- a/schemas/shibboleth-2.0-native-sp-config.xsd
+++ b/schemas/shibboleth-2.0-native-sp-config.xsd
@@ -16,15 +16,15 @@
 
 	<annotation>
 		<documentation>
-    	2.0 schema for XML-based configuration of Shibboleth Native SP instances.
-    	First appearing in Shibboleth 2.0 release.
-    	</documentation>
-    </annotation>
+		2.0 schema for XML-based configuration of Shibboleth Native SP instances.
+		First appearing in Shibboleth 2.0 release.
+    		</documentation>
+	</annotation>
 
-	<simpleType name="string">
-		<restriction base="string">
+	<simpleType name="string">
+		<restriction base="string">
 			<minLength value="1"/>
-		</restriction>
+		</restriction>
 	</simpleType>
 
 	<simpleType name="listOfStrings">
@@ -44,20 +44,20 @@
 	</complexType>
 
 	<element name="SPConfig">
-		<complexType>
-			<annotation>
-				<documentation>Root of configuration</documentation>
-			</annotation>
-			<sequence>
-				<element ref="conf:Extensions" minOccurs="0"/>
-				<element ref="conf:OutOfProcess"/>
-				<element ref="conf:InProcess"/>
-				<element ref="conf:Applications"/>
-				<element ref="conf:SecurityPolicies"/>
-			</sequence>
-			<attribute name="logger" type="anyURI"/>
-			<attribute name="clockSkew" type="unsignedInt"/>
-			<anyAttribute namespace="##other" processContents="lax"/>
+		<complexType>
+			<annotation>
+				<documentation>Root of configuration</documentation>
+			</annotation>
+			<sequence>
+				<element ref="conf:Extensions" minOccurs="0"/>
+				<element ref="conf:OutOfProcess"/>
+				<element ref="conf:InProcess"/>
+				<element ref="conf:Applications"/>
+				<element ref="conf:SecurityPolicies"/>
+			</sequence>
+			<attribute name="logger" type="anyURI"/>
+			<attribute name="clockSkew" type="unsignedInt"/>
+			<anyAttribute namespace="##other" processContents="lax"/>
 		</complexType>
 	</element>
 
@@ -121,26 +121,26 @@
 		</complexType>
 	</element>
 	
-	<element name="ReplayCache">
+	<element name="ReplayCache">
 		<annotation>
 			<documentation>Ties ReplayCache to a custom StorageService</documentation>
 		</annotation>
 		<complexType>
-			<sequence/>
+			<sequence/>
 			<attribute name="StorageService" type="IDREF" use="required"/>
 		</complexType>
-	</element>
+	</element>
 	
-	<element name="ArtifactMap">
+	<element name="ArtifactMap">
 		<annotation>
 			<documentation>Customizes an ArtifactMap</documentation>
 		</annotation>
 		<complexType>
-			<sequence/>
-			<attribute name="StorageService" type="IDREF"/>
-			<attribute name="context" type="conf:string"/>
+			<sequence/>
+			<attribute name="StorageService" type="IDREF"/>
+			<attribute name="context" type="conf:string"/>
 			<attribute name="artifactTTL" type="unsignedInt" default="180"/>
-		</complexType>
+		</complexType>
 	</element>
 	
 	<element name="OutOfProcess">
@@ -148,30 +148,30 @@
 			<documentation>Container for shibd out-of-process configuration</documentation>
 		</annotation>
 		<complexType>
-			<sequence>
-				<element ref="conf:Extensions" minOccurs="0"/>
-				<choice>
-					<element name="UnixListener">
-						<complexType>
-							<attribute name="address" type="conf:string" use="required"/>
-						</complexType>
-					</element>
-					<element name="TCPListener">
-						<complexType>
-							<attribute name="address" type="conf:string" use="required"/>
-							<attribute name="port" type="unsignedInt" use="required"/>
-							<attribute name="acl" type="conf:listOfStrings" default="127.0.0.1"/>
-						</complexType>
-					</element>
-					<element name="Listener" type="conf:PluggableType"/>
-				</choice>
-				<element ref="conf:StorageService" minOccurs="0" maxOccurs="unbounded"/>
-				<element ref="conf:SessionCache" minOccurs="0"/>
+			<sequence>
+				<element ref="conf:Extensions" minOccurs="0"/>
+				<choice>
+					<element name="UnixListener">
+						<complexType>
+							<attribute name="address" type="conf:string" use="required"/>
+						</complexType>
+					</element>
+					<element name="TCPListener">
+						<complexType>
+							<attribute name="address" type="conf:string" use="required"/>
+							<attribute name="port" type="unsignedInt" use="required"/>
+							<attribute name="acl" type="conf:listOfStrings" default="127.0.0.1"/>
+						</complexType>
+					</element>
+					<element name="Listener" type="conf:PluggableType"/>
+				</choice>
+				<element ref="conf:StorageService" minOccurs="0" maxOccurs="unbounded"/>
+				<element ref="conf:SessionCache" minOccurs="0"/>
 				<element ref="conf:ReplayCache" minOccurs="0"/>
-				<element ref="conf:ArtifactMap" minOccurs="0"/>
-				<any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
-			</sequence>
-			<attribute name="logger" type="anyURI"/>
+				<element ref="conf:ArtifactMap" minOccurs="0"/>
+				<any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+			</sequence>
+			<attribute name="logger" type="anyURI"/>
 			<anyAttribute namespace="##other" processContents="lax"/>
 		</complexType>
 	</element>
@@ -184,22 +184,23 @@
 			</documentation>
 		</annotation>
 		<complexType>
-			<sequence>
-				<element ref="conf:Extensions" minOccurs="0"/>
+			<sequence>
+				<element ref="conf:Extensions" minOccurs="0"/>
 				<element ref="conf:SessionCache" minOccurs="0"/>
-				<element name="RequestMapper" type="conf:PluggableType"/>
-				<element name="Implementation" minOccurs="0">
-					<complexType>
-						<sequence>
-							<element ref="conf:ISAPI" minOccurs="0"/>
-							<any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
-						</sequence>
-					</complexType>
-				</element>
-				<any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
-			</sequence>
-			<attribute name="logger" type="anyURI"/>
-			<attribute name="unsetHeaderValue" type="string" use="optional"/>
+				<element name="RequestMapper" type="conf:PluggableType"/>
+				<element name="Implementation" minOccurs="0">
+					<complexType>
+						<sequence>
+							<element ref="conf:ISAPI" minOccurs="0"/>
+							<any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+						</sequence>
+					</complexType>
+				</element>
+				<any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+			</sequence>
+			<attribute name="logger" type="anyURI"/>
+			<attribute name="unsetHeaderValue" type="string"/>
+			<attribute name="checkSpoofing" type="boolean"/>
 			<anyAttribute namespace="##other" processContents="lax"/>
 		</complexType>
 	</element>
@@ -350,8 +351,8 @@
 				<element ref="conf:Sessions"/>
 				<element ref="conf:Errors"/>
 				<element ref="conf:DefaultRelyingParty"/>
-				<element ref="saml:Audience" minOccurs="0" maxOccurs="unbounded"/>
-                <element name="MetadataProvider" type="conf:PluggableType"/>
+				<element ref="saml:Audience" minOccurs="0" maxOccurs="unbounded"/>
+                <element name="MetadataProvider" type="conf:PluggableType"/>
 				<element name="TrustEngine" type="conf:PluggableType"/>
 				<element name="AttributeExtractor" type="conf:PluggableType" minOccurs="0"/>
 				<element name="AttributeResolver" type="conf:PluggableType" minOccurs="0"/>
@@ -407,7 +408,7 @@
 				<element ref="md:ArtifactResolutionService"/>
 				<element ref="md:SingleLogoutService"/>
 				<element ref="md:ManageNameIDService"/>
-				<element name="Handler">
+				<element name="Handler">
 					<complexType>
 						<complexContent>
 							<restriction base="conf:PluggableType">
@@ -437,10 +438,10 @@
 		</complexType>
 	</element>
 	
-	<attribute name="policyId" type="conf:string">
-		<annotation>
-			<documentation>Used to reference Policy elements from profile endpoints.</documentation>
-		</annotation>
+	<attribute name="policyId" type="conf:string">
+		<annotation>
+			<documentation>Used to reference Policy elements from profile endpoints.</documentation>
+		</annotation>
 	</attribute>
 
 	<element name="SessionInitiator">
@@ -515,7 +516,7 @@
 		<attribute name="authType" type="conf:string"/>
 		<attribute name="authUsername" type="conf:string"/>
 		<attribute name="authPassword" type="conf:string"/>
-		<attribute name="signRequests" type="boolean"/>
+		<attribute name="signRequests" type="boolean"/>
 		<attribute name="signResponses" type="boolean"/>
 		<attribute name="signatureAlg" type="anyURI"/>
 		<attribute name="digestAlg" type="anyURI"/>
@@ -526,7 +527,7 @@
 		<attribute name="artifactEndpointIndex" type="unsignedShort"/>
 	</attributeGroup>
 	
-	<element name="SecurityPolicies">
+	<element name="SecurityPolicies">
 		<annotation>
 			<documentation>Container for specifying sets of policy rules to apply to incoming messages</documentation>
 		</annotation>
@@ -537,9 +538,9 @@
 						<documentation>Specifies a set of SecurityPolicyRule plugins</documentation>
 					</annotation>
 					<complexType>
-						<sequence>
-							<element name="Rule" type="conf:PluggableType" minOccurs="1" maxOccurs="unbounded"/>
-						</sequence>
+						<sequence>
+							<element name="Rule" type="conf:PluggableType" minOccurs="1" maxOccurs="unbounded"/>
+						</sequence>
 						<attribute name="id" type="conf:string" use="required"/>
 						<attribute name="validate" type="boolean" default="false"/>
 						<attribute name="signedAssertions" type="boolean" default="false"/>
diff --git a/shibsp/SPRequest.h b/shibsp/SPRequest.h
index c76eff9..a0b9ac4 100644
--- a/shibsp/SPRequest.h
+++ b/shibsp/SPRequest.h
@@ -111,9 +111,10 @@ namespace shibsp {
         /**
          * Ensures no value exists for a request header.
          * 
-         * @param name  name of header to clear 
+         * @param rawname  raw name of header to clear
+         * @param cginame  CGI-equivalent name of header
          */
-        virtual void clearHeader(const char* name)=0;
+        virtual void clearHeader(const char* rawname, const char* cginame)=0;
 
         /**
          * Sets a value for a request header.
diff --git a/shibsp/ServiceProvider.cpp b/shibsp/ServiceProvider.cpp
index 66f125c..3a4bb6d 100644
--- a/shibsp/ServiceProvider.cpp
+++ b/shibsp/ServiceProvider.cpp
@@ -87,12 +87,12 @@ namespace shibsp {
     }
     
     void SHIBSP_DLLLOCAL clearHeaders(SPRequest& request) {
-        request.clearHeader("Shib-Identity-Provider");
-        request.clearHeader("Shib-Authentication-Method");
-        request.clearHeader("Shib-AuthnContext-Class");
-        request.clearHeader("Shib-AuthnContext-Decl");
-        request.clearHeader("Shib-Attributes");
-        request.clearHeader("Shib-Assertion-Count");
+        request.clearHeader("Shib-Identity-Provider", "HTTP_SHIB_IDENTITY_PROVIDER");
+        request.clearHeader("Shib-Authentication-Method", "HTTP_SHIB_AUTHENTICATION_METHOD");
+        request.clearHeader("Shib-AuthnContext-Class", "HTTP_SHIB_AUTHNCONTEXT_CLASS");
+        request.clearHeader("Shib-AuthnContext-Decl", "HTTP_SHIB_AUTHNCONTEXT_DECL");
+        request.clearHeader("Shib-Attributes", "HTTP_SHIB_ATTRIBUTES");
+        request.clearHeader("Shib-Assertion-Count", "HTTP_SHIB_ASSERTION_COUNT");
         //request.clearHeader("Shib-Application-ID");   handle inside app method
         request.getApplication().clearAttributeHeaders(request);
     }
@@ -411,7 +411,7 @@ pair<bool,long> ServiceProvider::doExport(SPRequest& request, bool requireSessio
     catch (exception& e) {
         TemplateParameters tp(&e);
         tp.m_map["requestURL"] = targetURL.substr(0,targetURL.find('?'));
-        return make_pair(true,sendError(request, app, "rm", tp));
+        return make_pair(true,sendError(request, app, "session", tp));
     }
 #ifndef _DEBUG
     catch (...) {
@@ -419,7 +419,7 @@ pair<bool,long> ServiceProvider::doExport(SPRequest& request, bool requireSessio
         tp.m_map["errorType"] = "Unexpected Error";
         tp.m_map["errorText"] = "Caught an unknown exception.";
         tp.m_map["requestURL"] = targetURL.substr(0,targetURL.find('?'));
-        return make_pair(true,sendError(request, app, "rm", tp));
+        return make_pair(true,sendError(request, app, "session", tp));
     }
 #endif
 }
diff --git a/shibsp/impl/XMLServiceProvider.cpp b/shibsp/impl/XMLServiceProvider.cpp
index 9d94401..ed4d851 100644
--- a/shibsp/impl/XMLServiceProvider.cpp
+++ b/shibsp/impl/XMLServiceProvider.cpp
@@ -146,8 +146,8 @@ namespace {
             DDF header;
             DDF ret=DDF(NULL).list();
             DDFJanitor jret(ret);
-            for (vector<string>::const_iterator i = m_unsetHeaders.begin(); i!=m_unsetHeaders.end(); ++i) {
-                header = DDF(NULL).string(i->c_str());
+            for (vector< pair<string,string> >::const_iterator i = m_unsetHeaders.begin(); i!=m_unsetHeaders.end(); ++i) {
+                header = DDF(i->first.c_str()).string(i->second.c_str());
                 ret.add(header);
             }
             out << ret;
@@ -179,7 +179,7 @@ namespace {
 #endif
 #endif
         set<string> m_remoteUsers;
-        mutable vector<string> m_unsetHeaders;
+        mutable vector< pair<string,string> > m_unsetHeaders;
         RWLock* m_unsetLock;
 
         // manage handler objects
@@ -491,11 +491,18 @@ XMLApplication::XMLApplication(
                     pos = strchr(start,' ');
                     if (pos)
                         *pos=0;
-                    m_unsetHeaders.push_back(start);
+
+                    string transformed("HTTP_");
+                    const char* pch = start;
+                    while (*pch) {
+                        transformed += (isalnum(*pch) ? toupper(*pch) : '_');
+                        pch++;
+                    }
+                    m_unsetHeaders.push_back(pair<string,string>(start,transformed));
                     start = pos ? pos+1 : NULL;
                 }
                 free(dup);
-                m_unsetHeaders.push_back("Shib-Application-ID");
+                m_unsetHeaders.push_back(pair<string,string>("Shib-Application-ID","HTTP_SHIB_APPLICATION_ID"));
             }
         }
 
@@ -722,18 +729,33 @@ XMLApplication::XMLApplication(
             }
 
             if (m_unsetHeaders.empty()) {
+                vector<string> unsetHeaders;
                 if (m_attrExtractor) {
                     Locker extlock(m_attrExtractor);
-                    m_attrExtractor->getAttributeIds(m_unsetHeaders);
+                    m_attrExtractor->getAttributeIds(unsetHeaders);
                 }
                 if (m_attrResolver) {
                     Locker reslock(m_attrResolver);
-                    m_attrResolver->getAttributeIds(m_unsetHeaders);
+                    m_attrResolver->getAttributeIds(unsetHeaders);
+                }
+                if (unsetHeaders.empty()) {
+                    if (m_base)
+                        m_unsetHeaders.insert(m_unsetHeaders.end(), m_base->m_unsetHeaders.begin(), m_base->m_unsetHeaders.end());
+                    else
+                        m_unsetHeaders.push_back(pair<string,string>("Shib-Application-ID","HTTP_SHIB_APPLICATION_ID"));
+                }
+                else {
+                    for (vector<string>::const_iterator hdr = unsetHeaders.begin(); hdr!=unsetHeaders.end(); ++hdr) {
+                        string transformed("HTTP_");
+                        const char* pch = hdr->c_str();
+                        while (*pch) {
+                            transformed += (isalnum(*pch) ? toupper(*pch) : '_');
+                            pch++;
+                        }
+                        m_unsetHeaders.push_back(pair<string,string>(*hdr,transformed));
+                    }
+                    m_unsetHeaders.push_back(pair<string,string>("Shib-Application-ID","HTTP_SHIB_APPLICATION_ID"));
                 }
-                if (m_base && m_unsetHeaders.empty())
-                    m_unsetHeaders.insert(m_unsetHeaders.end(), m_base->m_unsetHeaders.begin(), m_base->m_unsetHeaders.end());
-                else
-                    m_unsetHeaders.push_back("Shib-Application-ID");
             }
         }
 
@@ -932,8 +954,8 @@ const Handler* XMLApplication::getHandler(const char* path) const
 void XMLApplication::clearAttributeHeaders(SPRequest& request) const
 {
     if (SPConfig::getConfig().isEnabled(SPConfig::OutOfProcess)) {
-        for (vector<string>::const_iterator i = m_unsetHeaders.begin(); i!=m_unsetHeaders.end(); ++i)
-            request.clearHeader(i->c_str());
+        for (vector< pair<string,string> >::const_iterator i = m_unsetHeaders.begin(); i!=m_unsetHeaders.end(); ++i)
+            request.clearHeader(i->first.c_str(), i->second.c_str());
         return;
     }
 
@@ -951,7 +973,7 @@ void XMLApplication::clearAttributeHeaders(SPRequest& request) const
             if (out.islist()) {
                 DDF header = out.first();
                 while (header.isstring()) {
-                    m_unsetHeaders.push_back(header.string());
+                    m_unsetHeaders.push_back(pair<string,string>(header.name(),header.string()));
                     header = out.next();
                 }
             }
@@ -964,8 +986,8 @@ void XMLApplication::clearAttributeHeaders(SPRequest& request) const
 
     // Now holding read lock.
     SharedLock unsetLock(m_unsetLock, false);
-    for (vector<string>::const_iterator i = m_unsetHeaders.begin(); i!=m_unsetHeaders.end(); ++i)
-        request.clearHeader(i->c_str());
+    for (vector< pair<string,string> >::const_iterator i = m_unsetHeaders.begin(); i!=m_unsetHeaders.end(); ++i)
+        request.clearHeader(i->first.c_str(), i->second.c_str());
 }
 
 short XMLConfigImpl::acceptNode(const DOMNode* node) const
-- 
2.1.4