Resolved: passing headers and attributes with AJP

Woolf, Carl Carl_Woolf at hms.harvard.edu
Wed Aug 3 20:00:36 UTC 2022


So, per   https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2067400159/JavaHowTo

I added attributePrefix="AJP_" in shibboleth2.xml



And then, per https://stackoverflow.com/questions/63505670/apache-cant-connect-to-new-tomcat-9-ajp

I added allowedRequestAttributesPattern=".*" in the ajp connector in server.xml.



Seems like both were essential. Now I am getting attributes, and have turned off headers!



Cheers, - Carl


From: users <users-bounces at shibboleth.net> on behalf of Woolf, Carl <Carl_Woolf at hms.harvard.edu>
Date: Wednesday, August 3, 2022 at 11:51 AM
To: users at shibboleth.net <users at shibboleth.net>, Haurie, Xavier <Xavier_Haurie at hms.harvard.edu>
Subject: Re: passing headers and attributes with AJP
I found guidance on AJP here: https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2067400159/JavaHowTo<https://urldefense.proofpoint.com/v2/url?u=https-3A__shibboleth.atlassian.net_wiki_spaces_SP3_pages_2067400159_JavaHowTo&d=DwMFAg&c=WO-RGvefibhHBZq3fL85hQ&r=ohjT-wCxvmZTScOv3YkqsxlnCgFPdb691fpNch5tb_U&m=e_i1bh6oTYFVft2ATEtazR0cuSLtsNi5q0p02UiKb44elJhYVM9eXejsyiwTj1Ql&s=rRShdgIN2OqTQSLzXAJ9TLneODcyTSEXdOClyUpRLCY&e=>
Will pursue that to try to solve my issue!

From: Woolf, Carl <Carl_Woolf at hms.harvard.edu>
Date: Wednesday, August 3, 2022 at 10:39 AM
To: users at shibboleth.net <users at shibboleth.net>
Subject: passing headers and attributes with AJP
Greetings, happily my team has decided to let Apache use AJP rather than HTTP in proxying to our tomcat.

We are using shibd 3.3.0, and Apache 2.4.6. (Tomcat 9.)

Our Apache configuration has


ProxyPass "/our-app/" "ajp://shrine-sso-node01.catalyst.harvard.edu:8009/our-app/"


<LocationMatch "/shrine-api/">

  AuthType shibboleth

  ShibRequestSetting requireSession 1

  Require valid-user local

  ShibUseEnvironment On

  ShibUseHeaders On

</LocationMatch>

Our tomcat is receiving request-headers, including those corresponding to Attributes being sent by our IdP.

We thought that ShibUseEnvironment would also send the information as request-attributes. But we do not seem to receive any request-attributes.

Any advice on how to get request-attributes sent? (We would then probably turn off ShibUseHeaders.)

Thanks, - Carl
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220803/92b865a1/attachment.htm>


More information about the users mailing list