Score:0

tomcat9 shibboleth+mod_jk authentication forbidden

in flag

I have a Spring Boot application running currently under Tomcat 8.5 that has a shibboleth-based SSO integrated. Shibboleth and tomcat are connected using apache2 mod_shib and mod_jk, using default Debian 9 packages.

I am now trying to upgrade the application's environment to Debian 10 (and thus tomcat 9), and most things work with minor configuration changes, except the Shibboleth-based authentication.

If calling on /login/shibboleth (which is configured in apache to authenticate using shibboleth, and then login inside the application using the provided shibboleth shared variables), the shibboleth SAML2 authentication protocol is correctly done (and the shibboleth session can be queried after in apache), but the handler method for /login/shibboleth is not called (I checked this using remote debugging), but is refused by tomcat itself:

HTTP Status 403 – Forbidden
Type Status Report

Description The server understood the request but refuses to authorize it.

Apache Tomcat/9.0.31 (Debian)

I have tried to look into this problem, and one possible solution seemed to be using a secret in the AJP connector. Defining one (in tomcat9's server.xml) does not seem to change any behaviour (also, mod_jk does not seem to have a corresponding option, so I wonder how any function works when a secret is configured).

Does anyone have ideas about:

  • What may cause this problem.
  • What the possible solutions are.
Score:0
th flag

The AJP connector stopped allowing just any ol' request attribute to pass through in recent versions of Tomcat. The attributes that are passed through by default are described here: https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html#Standard_Implementations

You can test if this is causing your 403 error by temporarily allowing all attributes within your AJP connector definition (likely found in server.xml).

<Connector protocol="AJP/1.3" 
           port="8009" 
           secret="your_ajp_secret" 
           allowedRequestAttributesPattern=".*" />

If that works, you can limit the allowed attributes to the ones you actually need. It will vary by implementation, but this worked for me: allowedRequestAttributesPattern="^(Shib-.*|eppn)$”

If your issue is truly with the AJP secret, note that Apache's mod_proxy_ajp didn't support secrets until recently. You'll find it documented in recent versions though. See https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.