[Shib-Users] AJP Tomcat env vars

1,342 views
Skip to first unread message

George Kroner

unread,
Nov 11, 2010, 12:39:35 PM11/11/10
to shibbole...@internet2.edu

Hi all,

 

I attended the InstallFest workshop yesterday – very fun and informative. Thank you for offering this, and very nice to meet everyone.

 

I have hopefully a quick, specific question for the community. Is it still the case that ShibUseHeaders On must appear in the shib.conf Apache configuration when using ProxyPass and AJP to front-end a Tomcat app with Shibboleth? The reason being that AJP won’t forward environment variables not prefixed with AJP_, and the ones passed via Shib are not?

 

Any known way around this limitation? I’d like to use environment variables if possible instead of headers as I know the debate continues over the security implications of the use of the latter.

 

Thank you for any insight,

-George


This email and any attachments may contain confidential and proprietary information of Blackboard that is for the sole use of the intended recipient. If you are not the intended recipient, disclosure, copying, re-distribution or other use of any of this information is strictly prohibited. Please immediately notify the sender and delete this transmission if you received this email in error.

Peter Schober

unread,
Nov 11, 2010, 12:56:34 PM11/11/10
to shibbole...@internet2.edu
* George Kroner <George...@blackboard.com> [2010-11-11 18:40]:

> I have hopefully a quick, specific question for the community. Is it
> still the case that ShibUseHeaders On must appear in the shib.conf
> Apache configuration when using ProxyPass and AJP to front-end a
> Tomcat app with Shibboleth?

It's not and the documentation also states that (though I already
thought about changing the docs to reflect that more clearly and
promptly forgot ;)

> The reason being that AJP won't forward environment variables not
> prefixed with AJP_, and the ones passed via Shib are not?

Add attributePrefix="AJP_" to <ApplicationDefaults> and they will be.
-peter

Peter Schober

unread,
Nov 11, 2010, 1:26:36 PM11/11/10
to shibbole...@internet2.edu
* George Kroner <George...@blackboard.com> [2010-11-11 18:40]:
> I have hopefully a quick, specific question for the community. Is it
> still the case that ShibUseHeaders On must appear in the shib.conf
> Apache configuration when using ProxyPass and AJP to front-end a
> Tomcat app with Shibboleth? The reason being that AJP won't forward
> environment variables not prefixed with AJP_, and the ones passed
> via Shib are not?

Is this better now?
https://spaces.internet2.edu/display/SHIB2/NativeSPJavaInstall
-peter

George Kroner

unread,
Nov 11, 2010, 1:56:02 PM11/11/10
to shibbole...@internet2.edu
Beautiful. I'd also add a handy tip for Java developers that when using request.getAttributeNames() to iterate over all the environment variables, the Shib ones are not included in the enumeration. One must explicitly call them - eg: request.getAttribute("eppn"). With your help, and overcoming this bit of strangeness, we're good to go.

Thank you!
-George

This email and any attachments may contain confidential and proprietary information of Blackboard that is for the sole use of the intended recipient. If you are not the intended recipient, disclosure, copying, re-distribution or other use of any of this information is strictly prohibited. Please immediately notify the sender and delete this transmission if you received this email in error.

Chad La Joie

unread,
Nov 11, 2010, 2:00:49 PM11/11/10
to shibbole...@internet2.edu
If that's really true than it's a bug in your Servlet container and you
should probably file a bug report with them.

On 11/11/10 1:56 PM, George Kroner wrote:
> Beautiful. I'd also add a handy tip for Java developers that when
> using request.getAttributeNames() to iterate over all the environment
> variables, the Shib ones are not included in the enumeration. One
> must explicitly call them - eg: request.getAttribute("eppn"). With
> your help, and overcoming this bit of strangeness, we're good to go.

--
Chad La Joie
http://itumi.biz
trusted identities, delivered

Peter Schober

unread,
Nov 11, 2010, 2:07:12 PM11/11/10
to shibbole...@internet2.edu
* George Kroner <George...@blackboard.com> [2010-11-11 19:56]:

> Beautiful. I'd also add a handy tip for Java developers that when
> using request.getAttributeNames() to iterate over all the
> environment variables, the Shib ones are not included in the
> enumeration. One must explicitly call them - eg:
> request.getAttribute("eppn"). With your help, and overcoming this
> bit of strangeness, we're good to go.

Exactly what I wrote back in June:
http://groups.google.com/group/shibboleth-users/msg/a4d5b03614a7fd76
http://groups.google.com/group/shibboleth-users/msg/e68bdc0bc1018bb2
cheers,
-peter

Etienne Dysli

unread,
Nov 26, 2010, 11:48:12 AM11/26/10
to shibbole...@internet2.edu
On 11/11/10 20:00, Chad La Joie wrote:
> If that's really true than it's a bug in your Servlet container and you
> should probably file a bug report with them.

This is a bug affecting Tomcat 6 up to 6.0.20:
https://issues.apache.org/bugzilla/show_bug.cgi?id=47364 which has been
fixed by... patching the javadoc!

From
http://tomcat.apache.org/tomcat-6.0-doc/api/org/apache/catalina/connector/Request.html#getAttributeNames%28%29
"Note that the attribute names return will only be those for the
attributes set via setAttribute(String, Object). Tomcat internal
attributes will not be included although they are accessible via
getAttribute(String)."

Regards,
Etienne

signature.asc
Reply all
Reply to author
Forward
0 new messages