Mod_shib sessions created for every request in a reverse proxy config
Florin Stingaciu
florin.stingaciu at gmail.com
Mon May 16 19:30:19 EDT 2016
Hello,
Basically, I have this Apache server that's protecting the '/app' resource
and does a reverse proxy to my tomcat app. Here's my apache config:
<VirtualHost *:443>
SSLEngine on
SSLProtocol all
SSLProxyEngine on
SSLCertificateFile "/etc/apache2/ssl/apache.crt"
SSLCertificateKeyFile "/etc/apache2/ssl/apache.key"
ServerName https://server:443
UseCanonicalName on
ProxyPreserveHost On
ProxyPass /Shibboleth.sso !
ProxyPass /app https://localhost:8080/app
ProxyPassReverse /app https://localhost:8080/app
LogLevel info
ErrorLog ${APACHE_LOG_DIR}/app.error.log
CustomLog ${APACHE_LOG_DIR}/app.access.log combined
</VirtualHost>
<Location /Shibboleth.sso>
SetHandler shib
</Location>
<Location /app>
Header set Access-Control-Allow-Origin "*"
ShibRequireSession On
AuthType shibboleth
ShibExportAssertion Off
Require valid-user
ShibUseHeaders on
</Location>
Basically, any request I make to server/app will auth against the IDP and
create a new session every single time. Surprisingly enough, if I create a
another location like so:
<Location />
Header set Access-Control-Allow-Origin "*"
ShibRequireSession On
AuthType shibboleth
ShibExportAssertion Off
Require valid-user
ShibUseHeaders on
</Location>
And try to access any resource that does not match 'app', it will only make
one request to the IDP and then it will basically use the _shibsession
cookie to reuse the original session.
After making a request for my 'app', I check the cookies in the browser and
I can't seem to find the _shibsession cookie. Here are the logs for two
consecutive requests:
==> transaction.log <==
2016-05-16 23:25:28 INFO Shibboleth-TRANSACTION [18]: New session (ID:
_1ace45750b3e3bfde7e114e759509587) with (applicationId: default) for
principal from (IdP: ssg-idp) at (ClientAddress: 100.80.0.227) with
(NameIdentifier: user_name) using (Protocol:
urn:oasis:names:tc:SAML:2.0:protocol) from (AssertionID:
_0df21bce-0a72-41aa-bbc2-5399a21fcb3f)
2016-05-16 23:25:28 INFO Shibboleth-TRANSACTION [18]: Cached the following
attributes with session (ID: _1ace45750b3e3bfde7e114e759509587) for
(applicationId: default) {
2016-05-16 23:25:28 INFO Shibboleth-TRANSACTION [18]: SM_USER (1 values)
2016-05-16 23:25:28 INFO Shibboleth-TRANSACTION [18]: }
==> shibd_warn.log <==
2016-05-16 23:25:28 WARN Shibboleth.SessionCache [14]: unsuccessful read of
session (ID: _1ace45750b3e3bfde7e114e759509587), caches out of sync?
==> transaction.log <==
2016-05-16 23:25:32 INFO Shibboleth-TRANSACTION [14]: New session (ID:
_2341fa9020f04497ccc35c45e982bfad) with (applicationId: default) for
principal from (IdP: ssg-idp) at (ClientAddress: 100.80.0.227) with
(NameIdentifier: user_name) using (Protocol:
urn:oasis:names:tc:SAML:2.0:protocol) from (AssertionID:
_0d7604d3-3eda-4d0e-9367-0bc497de7742)
2016-05-16 23:25:32 INFO Shibboleth-TRANSACTION [14]: Cached the following
attributes with session (ID: _2341fa9020f04497ccc35c45e982bfad) for
(applicationId: default) {
2016-05-16 23:25:32 INFO Shibboleth-TRANSACTION [14]: SM_USER (1 values)
2016-05-16 23:25:32 INFO Shibboleth-TRANSACTION [14]: }
==> shibd_warn.log <==
2016-05-16 23:25:32 WARN Shibboleth.SessionCache [14]: unsuccessful read of
session (ID: _2341fa9020f04497ccc35c45e982bfad), caches out of sync?
It is also worth to note that my app does a bunch of redirects to itself
and generates a bunch of css on the fly. Thus causing a lot of things to
not load properly. Any help would be greatly appreciated. Please let me
know if there's any further information I could provide that could be of
any help.
Thanks,
-F
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160516/91bbbb3d/attachment.html>
More information about the users
mailing list