Resolved: passing headers and attributes with AJP
Woolf, Carl
Carl_Woolf at hms.harvard.edu
Wed Aug 3 20:00:36 UTC 2022
So, per https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2067400159/JavaHowTo
I added attributePrefix="AJP_" in shibboleth2.xml
And then, per https://stackoverflow.com/questions/63505670/apache-cant-connect-to-new-tomcat-9-ajp
I added allowedRequestAttributesPattern=".*" in the ajp connector in server.xml.
Seems like both were essential. Now I am getting attributes, and have turned off headers!
Cheers, - Carl
From: users <users-bounces at shibboleth.net> on behalf of Woolf, Carl <Carl_Woolf at hms.harvard.edu>
Date: Wednesday, August 3, 2022 at 11:51 AM
To: users at shibboleth.net <users at shibboleth.net>, Haurie, Xavier <Xavier_Haurie at hms.harvard.edu>
Subject: Re: passing headers and attributes with AJP
I found guidance on AJP here: https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2067400159/JavaHowTo<https://urldefense.proofpoint.com/v2/url?u=https-3A__shibboleth.atlassian.net_wiki_spaces_SP3_pages_2067400159_JavaHowTo&d=DwMFAg&c=WO-RGvefibhHBZq3fL85hQ&r=ohjT-wCxvmZTScOv3YkqsxlnCgFPdb691fpNch5tb_U&m=e_i1bh6oTYFVft2ATEtazR0cuSLtsNi5q0p02UiKb44elJhYVM9eXejsyiwTj1Ql&s=rRShdgIN2OqTQSLzXAJ9TLneODcyTSEXdOClyUpRLCY&e=>
Will pursue that to try to solve my issue!
From: Woolf, Carl <Carl_Woolf at hms.harvard.edu>
Date: Wednesday, August 3, 2022 at 10:39 AM
To: users at shibboleth.net <users at shibboleth.net>
Subject: passing headers and attributes with AJP
Greetings, happily my team has decided to let Apache use AJP rather than HTTP in proxying to our tomcat.
We are using shibd 3.3.0, and Apache 2.4.6. (Tomcat 9.)
Our Apache configuration has
ProxyPass "/our-app/" "ajp://shrine-sso-node01.catalyst.harvard.edu:8009/our-app/"
<LocationMatch "/shrine-api/">
AuthType shibboleth
ShibRequestSetting requireSession 1
Require valid-user local
ShibUseEnvironment On
ShibUseHeaders On
</LocationMatch>
Our tomcat is receiving request-headers, including those corresponding to Attributes being sent by our IdP.
We thought that ShibUseEnvironment would also send the information as request-attributes. But we do not seem to receive any request-attributes.
Any advice on how to get request-attributes sent? (We would then probably turn off ShibUseHeaders.)
Thanks, - Carl
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220803/92b865a1/attachment.htm>
More information about the users
mailing list