Shibboleth 3 attributes not exposed from Apache 2.4 as environment variables

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Shibboleth 3 attributes not exposed from Apache 2.4 as environment variables

vasileios.koukoutsas
Hello Shibboleth community! 

We have setup Shibboleth as described in Switch SP Configuration.
We are using Ubuntu with Apache 2.4 and Spring Boot on the back-end (embedded Tomcat 8.5).
There are no errors in either Apache or shibboleth logs.

After several tries to  get the attributes through the Spring Boot app I get null values when I call the request.getAttribute() method to request a specific attribute.
In the /Shibboleth.sso/Session I can see all the attributes and their values as expected.

My Apache.conf relevant configuration is:

ProxyPass /Shibboleth.sso/* !

# Include module configuration:
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf

# Include list of ports to listen on
Include ports.conf

<Directory />
Options FollowSymLinks
AllowOverride None
Require all denied
</Directory>

<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>

<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>

<Location /Shibboleth.sso>
  SetHandler shib
</Location>

<Location /app/>
  AuthType shibboleth
  ShibRequestSetting requireSession true
  ShibUseEnvironment On
  #ShibUseHeaders On
  Require shib-attr swissEduIDLinkedAffiliation ~ .*@.*
</Location>

ProxyIOBufferSize 65536

In the proxy_html.conf I have added the configuration:

ProxyRequests Off
ProxyPass /Shibboleth.sso/* !
ProxyPassReverse /app/ https://localhost:10050/app/

ProxyHTMLURLMap https://localhost:10050/app/ /app/

<Location /app/>
   ProxyPassReverse /
   SetOutputFilter  proxy-html
   ProxyHTMLURLMap  /app/ /app/
   RequestHeader    unset  Accept-Encoding
</Location>

and in the sites-enabled my app-le-ssl.conf configuration is:

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ProxyPreserveHost On
    ProxyRequests Off
    ServerAdmin webmaster@localhost
    ServerName example.com
    ServerAlias example.com

    RequestHeader set X-Forwarded-Proto "https"
    <Proxy ajp://localhost:8009>
      Require all granted
    </Proxy>
    SSLProxyEngine On
    ProxyPass /app/  ajp://localhost:8009/app/
    ProxyPassReverse /app/ ajp://localhost:8009/app/
    ProxyPass /Shibboleth.sso/* ! 
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

My ApplicationDefaults and Sessions configuration in shibboleth2.xml is:

<ApplicationDefaults entityID="https://example.com/shibboleth"
                         homeURL="https://example.com/Shibboleth.sso/Session"
                         metadataAttributePrefix="Meta-"
                         REMOTE_USER="persistent-id uniqueID affiliation eppn swissEduIDLinkedAffiliation"
signing="false" encryption="false"
attributePrefix="AJP_">

<Sessions lifetime="28800"
                  timeout="3600"
                  relayState="ss:mem"
                  checkAddress="false"
                  consistentAddress="true"
                  handlerSSL="true"
                  redirectLimit="host"
                  cookieProps="https">


Since I cannot see the attributes in Java and the attributes/values are shown in /Shibboleth.sso/Session I assume that my Apache configuration is wrong or something is missing.
Please provide some assistance as I am not able to determine what is the fault.

Thanks in advance for your help, it is much appreciated!

Kind regards,
Vasileios

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth 3 attributes not exposed from Apache 2.4 as environment variables

Peter Schober
* [hidden email] <[hidden email]> [2019-12-14 14:27]:
> In the proxy_html.conf I have added the configuration:
>
> ProxyRequests Off
> ProxyPass /Shibboleth.sso/* !
> ProxyPass /app/ https://localhost:10050/app/
> ProxyPassReverse /app/ https://localhost:10050/app/

You're telling httpd to proxy via HTTP here (but you can't transfer
environment variables over HTTP).

> ProxyHTMLURLMap https://localhost:10050/app/ /app/
>
> <Location /app/>
>    ProxyPassReverse /
>    SetOutputFilter  proxy-html
>    ProxyHTMLURLMap  /app/ /app/
>    RequestHeader    unset  Accept-Encoding
> </Location>

I don't understand the addtion of any of that but I suppse you have
reasons for including it?

> and in the sites-enabled my app-le-ssl.conf configuration is:
>
>     RequestHeader set X-Forwarded-Proto "https"
>     <Proxy ajp://localhost:8009>
>       Require all granted
>     </Proxy>
>     SSLProxyEngine On
>     ProxyPass /app/  ajp://localhost:8009/app/
>     ProxyPassReverse /app/ ajp://localhost:8009/app/
>     ProxyPass /Shibboleth.sso/* !

While that's also more verbose that what I had used in the past (I
never had to use more than ProxyPass + ProxyPass) but here you're
proxying via AJP as you should (using httpd's mod_proxy_ajp).

So I'd stop proxying via https *and* via ajp. Why have Tomcat even use
an HTTP Connector when you intend to proxy via AJP from httpd? Port
8009 should suffice.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth 3 attributes not exposed from Apache 2.4 as environment variables

Peter Schober
In reply to this post by vasileios.koukoutsas
In other words, I'd start from the most minimal configuration to get
this to work, not from the accumulation of directives you seem to be
working with.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth 3 attributes not exposed from Apache 2.4 as environment variables

vasileios.koukoutsas
Dear Peter,

Thank you for the fast reply and the suggestion(s).
Excuse my ignorance but I have a few follow-up questions.

You mentioned I do not use https for the following snippet:

> ProxyRequests Off
> ProxyPass /Shibboleth.sso/* !
> ProxyPass /app/ https://localhost:10050/app/
> ProxyPassReverse /app/ https://localhost:10050/app/

Is something missing? as far as I know using https in ProxyPass and ProxyPassReverse will only redirect using https
Currently if I try to access my webapp or any resource under Apache I can only do it using https. http requests are automatically redirected to https.

> ProxyHTMLURLMap https://localhost:10050/app/ /app/
>
> <Location /app/>
>    ProxyPassReverse /
>    SetOutputFilter  proxy-html
>    ProxyHTMLURLMap  /app/ /app/
>    RequestHeader    unset  Accept-Encoding
> </Location>
I don't understand the addtion of any of that but I suppse you have reasons for including it?

This addition is to redirect requests and responses from the backend which is in localhost to the frontent (e.g. example.com/app/ <-> https://localhost:10050/app/

If I have understood correctly I need both an https and an ajp connectors (in Java backend) & their respective proxies in Apache.
The https connector running on port 10050 is used to server the web content and the sole purpose of the ajp (port 8009) connector is to have access to the attributes exposed by apache as environment variables.

I though that if you only use an https connector then you can only fetch the attributes through the headers, which is strongly recommended against.
I am not familiar on how Apache works and what are the different configuration options, the more time I spend viewing suggested solutions/configurations the more I get confused.
Is there maybe a suggested configuration example from Shibboleth?


Thanks,
Vasileios

-----"users" <[hidden email]> wrote: -----
From: "Peter Schober"
Sent by: "users"
Date: 14/12/2019 14:43
Subject: Re: Shibboleth 3 attributes not exposed from Apache 2.4 as environment variables

In other words, I'd start from the most minimal configuration to get
this to work, not from the accumulation of directives you seem to be
working with.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth 3 attributes not exposed from Apache 2.4 as environment variables

Peter Schober
* [hidden email] <[hidden email]> [2019-12-14 17:43]:
> You mentioned I do not use https for the following snippet:

No, the point of me saying:

> You're telling httpd to proxy via HTTP here (but you can't transfer
> environment variables over HTTP).

was not about HTTP vs. HTTPS, but that you're using the HTTP protocol
here (whether wrapped in SSL or not is immaterial here) to communicate
with Tomcat. And that you cannot transfer environment variables from
httpd processes to Java that way, as the documentation states.

(I also think that using SSL to talk to processes on localhost is
pointless but that's not the issue here either.)

> Is something missing? as far as I know using https in ProxyPass and
> ProxyPassReverse will only redirect using https
[...]
> Currently if I try to access my webapp or any resource under Apache
> I can only do it using https. http requests are automatically
> redirected to https.

Redirect in HTTP means telling the client to go elsewhere (commonly
using a 30x status code and a Location HTTP Response Header), that's
not what should be happening here.

> If I have understood correctly I need both an https and an ajp
> connectors (in Java backend) & their respective proxies in Apache.
> The https connector running on port 10050 is used to server the web
> content and the sole purpose of the ajp (port 8009) connector is to
> have access to the attributes exposed by apache as environment
> variables.

Understood what correctly, specifically? But no, that's not correct.
Like I already said all you need is an AJP connector in Tomcat (and no
HTTP or HTTPS connectors at all) and one ProxyPass(Reverse) in httpd
using mod_proxy_ajp.

> I though that if you only use an https connector then you can only
> fetch the attributes through the headers, which is strongly
> recommended against.

Yes. But the consequence of that realisation should not be to use an
HTTPS connector /plus/ an AJP connector when /only/ an AJP connector
can do it all.

> Is there maybe a suggested configuration example from Shibboleth?

If that is it's in the documentation.
If it's not it will look like your ajp:// proxying example *without*
also trying to proxy the same request via HTTP (or HTTPS) as well.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth 3 attributes not exposed from Apache 2.4 as environment variables

vasileios.koukoutsas
Hi Peter,

Thank you for the clarifications.
I solved the issue by removing the http(s) proxy and all of the proxy_html  configuration as you suggested.
I only use ajp ProxyPass.

For future reference if someone has a similar problem my configuration is:

in sites-enables example.com.conf:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ProxyPreserveHost On
ProxyRequests Off
ServerAdmin webmaster@localhost
ServerName example.com
ServerAlias example.com

SSLEngine On
SSLProxyEngine On
    
ProxyPass /app/  ajp://localhost:8009/app/
ProxyPass /Shibboleth.sso/* ! 
    
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

And my AJP connector in Spring (written in Kotlin):



@Bean
open fun servletContainer(): ServletWebServerFactory? {
val tomcat: TomcatServletWebServerFactory = object : TomcatServletWebServerFactory() {
override fun postProcessContext(context: Context) {
val securityConstraint = SecurityConstraint()
securityConstraint.userConstraint = "CONFIDENTIAL"
val collection = SecurityCollection()
collection.addPattern("/*")
securityConstraint.addCollection(collection)
context.addConstraint(securityConstraint)
}
}
tomcat.addAdditionalTomcatConnectors(redirectConnector())
return tomcat
}
var maxSize = 50000000
open fun redirectConnector(): Connector? {
val connector = Connector("AJP/1.3")
connector.scheme = "https"
connector.port = 8009
connector.secure = true
connector.uriEncoding = "UTF-8"
connector.allowTrace = false
connector.maxPostSize = maxSize
connector.maxSavePostSize = maxSize
connector.redirectPort = 8443
return connector
}

Thank you very much for your help.

Best,
Vasileios

-----"users" <[hidden email]> wrote: -----
From: "Peter Schober"
Sent by: "users"
Date: 15/12/2019 13:39
Subject: Re: Shibboleth 3 attributes not exposed from Apache 2.4 as environment variables

* [hidden email] <[hidden email]> [2019-12-14 17:43]:
> You mentioned I do not use https for the following snippet:

No, the point of me saying:

> You're telling httpd to proxy via HTTP here (but you can't transfer
> environment variables over HTTP).

was not about HTTP vs. HTTPS, but that you're using the HTTP protocol
here (whether wrapped in SSL or not is immaterial here) to communicate
with Tomcat. And that you cannot transfer environment variables from
httpd processes to Java that way, as the documentation states.

(I also think that using SSL to talk to processes on localhost is
pointless but that's not the issue here either.)

> Is something missing? as far as I know using https in ProxyPass and
> ProxyPassReverse will only redirect using https
[...]
> Currently if I try to access my webapp or any resource under Apache
> I can only do it using https. http requests are automatically
> redirected to https.

Redirect in HTTP means telling the client to go elsewhere (commonly
using a 30x status code and a Location HTTP Response Header), that's
not what should be happening here.

> If I have understood correctly I need both an https and an ajp
> connectors (in Java backend) & their respective proxies in Apache.
> The https connector running on port 10050 is used to server the web
> content and the sole purpose of the ajp (port 8009) connector is to
> have access to the attributes exposed by apache as environment
> variables.

Understood what correctly, specifically? But no, that's not correct.
Like I already said all you need is an AJP connector in Tomcat (and no
HTTP or HTTPS connectors at all) and one ProxyPass(Reverse) in httpd
using mod_proxy_ajp.

> I though that if you only use an https connector then you can only
> fetch the attributes through the headers, which is strongly
> recommended against.

Yes. But the consequence of that realisation should not be to use an
HTTPS connector /plus/ an AJP connector when /only/ an AJP connector
can do it all.

> Is there maybe a suggested configuration example from Shibboleth?

If that is it's in the documentation.
If it's not it will look like your ajp:// proxying example *without*
also trying to proxy the same request via HTTP (or HTTPS) as well.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]