CAS 6.1.6 behind reverse proxy. Exception caused by The AJP Connector is configured with secretRequired="true" but the secret attribute is either null or "". This combination is not valid.

[José Ramón Martín Magdalena]

Good afternoon group,

I have been for some time, more than desired being honest, trying to deploy a CAS server in my organization on a cluster Kubernetes and I think I have almost succeeded.

The truth is that if I had previously known how difficult it has been, I will not get on the boat. Previously, I had never worked with Docker, Kubernetes, or CAS. The upside is that my confinement has not been boring.

I am currently trying to publish the service abroad using reverse apache proxy but the container dies returning the following error:

The AJP Connector is configured with secretRequired = "true" but the secret attribute is either null or "". This combination is not valid.

The configuration that I have included for proxy in cas.properties is the following:

## config for proxy

server.port = 8080

server.ssl.enabled = false

cas.server.tomcat.http.enabled = false

cas.server.tomcat.httpProxy.enabled = true

cas.server.tomcat.httpProxy.secure = true

cas.server.tomcat.httpProxy.scheme = https

cas.server.tomcat.ajp.attributes.secret = isasecret << I thought this would solve the problem but no.

Could someone tell me, for heaven's sake, where is the fault?

Thanks in advance for your contribution.

Regards.

[Kink Forumer]

Hi José,

Since Tomcat 9.03x and AJP v1.3, if I am correct, the AJP connector needs to have the Secret declared in it as in here:

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" requiredSecret="myComplexKeyComesHereButIHaveNotUsedItElseWhere" secretRequired="true">

Could it be that you should simply replace

cas.server.tomcat.ajp.attributes.secret = isasecret

with

cas.server.tomcat.ajp.attributes.requiredSecret = isasecret

I was in the same position last year: new to Docker, Overlays, CAS, ApacheDS, and more... a tough year!

CAS really is great but with such a hard learning curve, this is insane LOL but a lot of good and knowledgeable (not me!) guys hang around here :-)

Good luck

Kink

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/8ef35652-960b-402d-b65b-716710d1dee8o%40apereo.org.

[José Ramón Martín Magdalena]

Hi King,

First of all, thank you for your quick reply. I tried your solution unfortunately without success. Having a look at the Tomcat documentation I found that the correct attribute name is 'secret' so I decided to try with :

cas.server.tomcat.ajp.attributes.secretRequired=true

cas.server.tomcat.ajp.attributes.secret=TheSecret

But same result. Now I'm moved to the AJP CAS Properties and right now I'm trying

cas.server.tomcat.ajp.enabled=true

Finger crossing.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-...@apereo.org.

[José Ramón Martín Magdalena]

Hello guys,

It looked promising, right! But no, exactly the same result.

Frustrating.

Any ideas?

[José Ramón Martín Magdalena]

Hi again King,

Taken another look at Tomcat documentation I found the attribute you said on the security-howto saying "The requiredSecret attribute in AJP connectors configures shared secret between Tomcat and reverse proxy in front of Tomcat. It is used to prevent unauthorized connections over AJP protocol."; baffling!

If it working for you it seemed to me that the transfer attribute-key is failing but much more probably who fails is me.

But where!?

[Root]

@Jose

Did you try without AJP ?, for me it works with apache with below cas settings

cas.server.http.enabled=false
cas.server.httpProxy.enabled=true
cas.server.httpProxy.secure=true
cas.server.httpProxy.scheme=https
cas.server.httpProxy.protocol=HTTP/1.1

[José Ramón Martín Magdalena]

Hi Root,

Thanks for your reply. Nop, I'm going to try. I'm wondering, the login CAS page don't warn you about the non-secure connection?

News in a while.

[Pascal Rigaux]

NB: tomcat has many ways to configure http backend behind a rev proxy:

(1) force the values of the connector (secure, scheme...) : https://tomcat.apache.org/tomcat-9.0-doc/proxy-howto.html
(2) filter allowed IPs : https://​tomcat.apache.org/​tomcat-9.0-doc/​config/​filter.html#​Remote_Address_Filter
(3) handle headers X-Forwarded-Xxx coming from an allowed rev proxy : https://​tomcat.apache.org/​tomcat-9.0-doc/​config/​filter.html#​Remote_IP_Filter

I like solution (3) because it really hides rev-proxy from application.

- CAS emulates (1) with properties cas.server.httpProxy.*, but note that "​getRemoteAddr" still returns the IP from rev proxy (?)
- CAS also implements (2), cf "​cas.server.tomcat.remote-addr" (beware, named changed recently, cf https://github.com/apereo/cas/pull/4805 )
- (3) is not available in cas.properties: you must configure spring-boot directly in application.properties. Cf https://docs.spring.io/spring-boot/docs/current/reference/html/howto.html#howto-use-behind-a-proxy-server

Good luck :)

[Root]

@Jose,

No, I am using simple reverse proxy with HTTPS Apache as front end, and back-end also its communicating via HTTPS, so end to end its encrypted.

here are my few lines of apache config

ProxyPreserveHost On
ProxyPass        / https://localhost:9443/
ProxyPassReverse / https://localhost:9443/

Header always set  Content-Security-Policy: upgrade-insecure-requests
   
     #ignore SSL verify for https proxy IP
    SSLProxyEngine on
    SSLProxyVerify none
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    SSLProxyCheckPeerExpire off   

<Location /cas/adminlogin>
        order Deny,Allow
        Deny from all
</Location>