Shibboleth 3 attributes not exposed from Apache 2.4 as environment variables

vasileios.koukoutsas at vasileios.koukoutsas at
Sun Dec 15 17:14:06 EST 2019

Hi Peter,

Thank you for the clarifications.
I solved the issue by removing the http(s) proxy and all of the proxy_html  configuration as you suggested.
I only use ajp ProxyPass.

For future reference if someone has a similar problem my configuration is:

in sites-enables
<IfModule mod_ssl.c>
<VirtualHost *:443>
ProxyPreserveHost On
ProxyRequests Off
ServerAdmin webmaster at localhost

SSLEngine On
SSLProxyEngine On
ProxyPass /app/  ajp://localhost:8009/app/
ProxyPass /Shibboleth.sso/* ! 
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

SSLCertificateFile /etc/letsencrypt/live/
SSLCertificateKeyFile /etc/letsencrypt/live/
Include /etc/letsencrypt/options-ssl-apache.conf

And my AJP connector in Spring (written in Kotlin):

     @Bean      open fun servletContainer(): ServletWebServerFactory? {          val tomcat: TomcatServletWebServerFactory = object : TomcatServletWebServerFactory() {              override fun postProcessContext(context: Context) {                  val securityConstraint = SecurityConstraint()                  securityConstraint.userConstraint = "CONFIDENTIAL"                  val collection = SecurityCollection()                  collection.addPattern("/*")                  securityConstraint.addCollection(collection)                  context.addConstraint(securityConstraint)              }          }          tomcat.addAdditionalTomcatConnectors(redirectConnector())          return tomcat      }         var maxSize = 50000000         open fun redirectConnector(): Connector? {          val connector = Connector("AJP/1.3")          connector.scheme = "https"          connector.port = 8009 = true          connector.uriEncoding = "UTF-8"          connector.allowTrace = false          connector.maxPostSize = maxSize          connector.maxSavePostSize = maxSize          connector.redirectPort = 8443          return connector      }

Thank you very much for your help.


-----"users" <users-bounces at> wrote: -----
To: users at
From: "Peter Schober" 
Sent by: "users" 
Date: 15/12/2019 13:39
Subject: Re: Shibboleth 3 attributes not exposed from Apache 2.4 as environment variables

* vasileios.koukoutsas at <vasileios.koukoutsas at> [2019-12-14 17:43]:
> You mentioned I do not use https for the following snippet:

No, the point of me saying:

> You're telling httpd to proxy via HTTP here (but you can't transfer
> environment variables over HTTP).

was not about HTTP vs. HTTPS, but that you're using the HTTP protocol
here (whether wrapped in SSL or not is immaterial here) to communicate
with Tomcat. And that you cannot transfer environment variables from
httpd processes to Java that way, as the documentation states.

(I also think that using SSL to talk to processes on localhost is
pointless but that's not the issue here either.)

> Is something missing? as far as I know using https in ProxyPass and
> ProxyPassReverse will only redirect using https
> Currently if I try to access my webapp or any resource under Apache
> I can only do it using https. http requests are automatically
> redirected to https.

Redirect in HTTP means telling the client to go elsewhere (commonly
using a 30x status code and a Location HTTP Response Header), that's
not what should be happening here.

> If I have understood correctly I need both an https and an ajp
> connectors (in Java backend) & their respective proxies in Apache.
> The https connector running on port 10050 is used to server the web
> content and the sole purpose of the ajp (port 8009) connector is to
> have access to the attributes exposed by apache as environment
> variables.

Understood what correctly, specifically? But no, that's not correct.
Like I already said all you need is an AJP connector in Tomcat (and no
HTTP or HTTPS connectors at all) and one ProxyPass(Reverse) in httpd
using mod_proxy_ajp.

> I though that if you only use an https connector then you can only
> fetch the attributes through the headers, which is strongly
> recommended against.

Yes. But the consequence of that realisation should not be to use an
HTTPS connector /plus/ an AJP connector when /only/ an AJP connector
can do it all.

> Is there maybe a suggested configuration example from Shibboleth?

If that is it's in the documentation.
If it's not it will look like your ajp:// proxying example *without*
also trying to proxy the same request via HTTP (or HTTPS) as well.

For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list