Tomcat – Forward Shibboleth Environment Variables to Tomcat via Apache

apache-2.2environment-variablesshibbolethtomcat

I am using Shibbolethv2.3 with Apache web server and Tomcat application server. I am using Apache as a reverse proxy using mod_proxy.so. I am not able to forward the Shibboleth environment variables from Apache to Tomcat. I am able to forward the attributes in the headers but as already mentioned in the wiki this approach is not safe.
I have tried forwarding the environment variables by the following directive :

SetEnv AJP_username ${username}

then at the Java side I can access the attribute by : request.getAttribute("username");
The strange thing here is that, I get a different value instead of the one set by Shibboleth. I get the Windows account name as a result. If I use any other attribute name, I get a null value.

I have searched a lot and have run out of options. Please guide me towards the right solution.

My setup details :

Shibboleth version : 2.3
OS : Windows XP SP3
Webserver : Apache 2.2
Application Server : Tomcat 6
Proxy module : mod_proxy.so

Best Answer

Make sure you are proxying through using ajp in the httpd.conf

ProxyPass /example ajp://example.org/example

And in the shibboleth2.xml in the ApplicationDefaults section we need to add

attributePrefix="AJP_"

So it looks something like

<ApplicationDefaults id="default" policyId="default"
    entityID="https://idp.example.org"
    REMOTE_USER="eppn persistent-id targeted-id"
    signing="false" encryption="false" attributePrefix="AJP_">

Check out this question on the shib mailing list: http://groups.google.com/group/shibboleth-users/browse_thread/thread/2bdd3e272baf49a2?pli=1

Related Solutions

Php – Shibboleth does pass attribute to server variable in PHP

I think that the answer that @pete k provides, is correct - although I didn't understand it at first. For others with limited Apache knowledge (like me) trying to configure Shibboleth, Shibboleth doesn't automatically make its server variables available to every page in your application, unless you explicitly tell it to. You can do this by putting the following sort of code either in a .htaccess file, or in a file in /etc/httpd/conf.d/

<Location /location-you-want-to-access-server-variables>
   AuthType shibboleth
    # ShibRequestSetting requireSession 1
   Require shibboleth
</Location>

If you uncomment the middle directive, pages in the specified location will be forced to authenticate via shibboleth. If you leave it commented, authorisation won't be forced, but you will have access to your shibboleth server variables. In PHP, for example, they would be found in $_SERVER - although of course they won't be set until you do authenticate via Shibboleth.

Docker conatiner: Get passed environment varaible in tomcat spring mvc application

I solved my problem with the following command, but I will still wait for a better answer to accept.

docker run -v /home/ubuntu/code:/usr/local/tomcat/webapps -e JAVA_OPTS="-Ddb.username=root -Ddb.password=abc123" -it -p 80:8080 tomcat

In above command I am trying to run a tomcat container, I have mounted host directory onto container's tomcat webapps directory.

Then I am passing an environment variable JAVA_OPTS which will set Java properties that I will read in my Java code using System.getProperty("db.username")

Best Answer

Related Solutions

Php – Shibboleth does pass attribute to server variable in PHP

Docker conatiner: Get passed environment varaible in tomcat spring mvc application

Related Topic