Apache + Jetty 9 + IdP?

[John Dennis]

On 04/13/2015 08:00 PM, Derp Niner wrote:
> On 4/13/15, 4:49 PM, "Cantor, Scott" <cantor.2 at osu.edu> wrote:
> 
> I also, for the record, have no idea how to get Jetty to accept
> RemoteUser from Apache. I haven't run Apache with the IdP since before
> I switched to Jetty. It might "just work" or it might require
> something like Tomcat does, I don't know.
> 
> I am curious for my own implementation - it seems that since v9 Jetty
> does not support proxying through apache with mod_proxy_ajp (see
> https://wiki.eclipse.org/Jetty/Howto/Configure_AJP13), but I noticed
> that the shib docs recommend AJP if using apache is desired. I am
> curious for my own deployment - did your comment mean that you run
> jetty in production without a web server in front, or have you decided
> to run something different than apache? Could you offer any
> recommendations for someone like me who is deploying IdP for the first
> time and is willing to try any type of setup?

Jetty v9 did drop support for AJP. However, you don't need to front
Jetty with Apache, you can run Jetty by itself as a web server. I've
been doing that and it works just fine.

However there may be times where you still want to front your
application server with Apache because Apache has a much richer suite of
extensions (including authentication modules). In this case you have to
pass REMOTE_USER and friends in the HTTP headers and extract them in a
HttpServletRequestWrapper so that you overload getRemoteUser(),
getAuthType(), etc. You also have to very carefully secure the
connection between Apache and Jetty and establish a trusted port over
which the proxy will occur, otherwise a malicious entity could perform a
man-in-the-middle attack and modify the REMOTE_USER which the servlet
implicitly trusts. I have code a write-up (targeted at another project)
on how to do this. But you probably don't want to go there unless you
have to, I'd strongly recommend just running Jetty.


-- 
John