Resolved: passing headers and attributes with AJP

Peter Schober peter.schober at
Wed Aug 3 21:34:38 UTC 2022

* Woolf, Carl <Carl_Woolf at> [2022-08-03 16:40]:
> ProxyPass "/our-app/" "ajp://"

Note that there's no transport-layer security here so this would
depend (1) on a secure network (from your web server to that other
host) and (2) configuration on system running the Tomat AJP connector
to make sure noone/nothing else can connect to that port other than
the webserver running Shib.
In most cases the AJP connection happens to localhost which doesn't
need (or benefit from) further securing, so these requirements may or
may not have been discussed earlier when you brought his up here.

* Woolf, Carl <Carl_Woolf at> [2022-08-03 22:01]:
> And then, per
> I added allowedRequestAttributesPattern=".*" in the ajp connector in server.xml.

Yeah, or a more restrictive version of that (where easily possible).

I got bitten by allowedRequestAttributesPattern myself when I hadn't
worked with Tomcat for a while and the code enforcing this (i.e.,
prevents attributes from being accepted unless allowlisted that way)
appeared in the (OS-packaged) Tomcat version I was using but the
documentation mentioning that requirement didn't. ;)

> Seems like both were essential. Now I am getting attributes, and have turned off headers!

Yes, both are, these days.
If the Shib wiki doesn't mention Tomcat now needing
allowedRequestAttributesPattern this should be added, of course.
Feel free to do that yourself (or someone else will hopefully get to
it, myself not excluded).

More information about the users mailing list