NVO SSO mod proxy ajp

From MyWiki

Jump to: navigation, search
NVO Single Signon

Contents

Using mod_proxy_ajp with NVO SSO

Problems between mod_proxy_ajp and mod_pubcookie

Although mod_proxy_ajp is much simpler to set up than mod_jk, Pubcookie does not interoperate well with it. In particular, the granting cookie never gets cleared and replaced with a session cookie.

Basic Configuration

  • In Tomcat's conf/server.xml, there is an AJP Connector configured by default on port 8009. Add tomcatAuthentication="false" to it: 
<!-- Define a Coyote/JK2 AJP 1.3 Connector on port 8009 for mod_proxy_ajp -->

<Connector port="8009"

    enableLookups="false" redirectPort="8443" debug="0"

    tomcatAuthentication="false"

    protocol="AJP/1.3" />





  •  For each Tomcat path that you want to proxy behind Apache HTTPD, add a mod_proxy_ajp directive to httpd.conf (or pubcookie.conf—any HTTPD config file, really):



ProxyPass /<httpd_path>/ ajp://localhost:8009/<tomcat_path>/




For example, if you want to make the Tomcat web application purse_registration<tt>, whose Tomcat URL is <tt>http://<host>:8080/purse_registration/, available  via HTTPD at http://<host>/register/, then <httpd_path> would be register, and <tomcat_path> would be purse_registration:



ProxyPass /register/ ajp://localhost:8009/purse_registration/




Note that URLs will need to include the trailing slash, or else mod_proxy_ajp will not forward them.  In this example http://<host>/register/ will work, but http://<host>/register will not.


  •  To require Pubcookie authentication, configure Pubcookie authentication in HTTPD config:



<Location /<httpd_path>/>

    PerlFixupHandler Myproxy::Mod_Myproxy

    AuthType Basic

    require valid-user

</Location>





  Fixing Cookie Problems 


(Forward by Nathan Dors, a Pubcookie contributor, originally from Frank Fujimoto, another Pubcookie contributor and webmaster.)



From: Frank Fujimoto
Date: Thu, 13 Jul 2006 14:38:28 -0700
Subject: Re: pubcookie, apache 2.2, ajp proxy

well, getting pbc working with the ajp proxy isn't documented, and
it's quite a hack.  ok, here goes

assume the url is http://host/app/ and tomcat is listening on port
8009.  $DOCUMENT_ROOT/app/.htaccess has:

       AuthType UWNetID
       PubcookieAppID app
       require group u:cac:all

       RewriteEngine on
       RewriteBase /app
       RewriteRule ^ajp:// - [L]
       RewriteRule ^/ - [L]
       RewriteRule ^LOGIN/ - [L]
       RewriteCond %{HTTP_COOKIE} !pubcookie_s_app=
       RewriteRule ^(.*)$ https://%{SERVER_NAME}/app/LOGIN/$1 [R,L]
       RewriteRule (.*) ajp://localhost:8009/app/$1 [P,L]

       <Files LOGIN>
               SetHandler cgi-script
       </Files>

the rewrite rules could be streamlined, but we haven't run into
performance problems.  rewritebase probably can go, but i have a
habit of putting it in anyway.  this .htaccess also assumes apache2,
for which the rewrite rules aren't applied unless the user is logged
in (the opposite is true of apache 1.3).  LOGIN is:

       #!/bin/sh

       url="https://$SERVER_NAME`echo $REQUEST_URI | sed s,LOGIN/,,`"
       content="\
       <html>\
       <head>\
       <meta http-equiv=\"refresh\" content=\"0;URL=$url\">\
       </head>\
       <body>\
       <a href=\"$url\">Continue to app</a>\
       </body>\
       </html>"

       len=`echo $content | wc -c`
       echo 'Content-Type: text/html'
       echo "Content-Length: $len"
       echo 
       echo $content

of course, the script could be tuned more, but it was a quickie.
also, it doesn't get run very often, so performance isn't really a
priority

a walkthrough:

       1. user connects to /app/rest/of/url, goes through weblogin, then comes
          back to the host (we're using POST).  REMOTE_USER and the pre-session
          cookie are set, but not the session cookie.
       2. url gets rewritten to /app/LOGIN/rest/of/url since the session
          cookie isn't set yet.  this redirect won't set it yet, either, but
          the pre-session cookie will last long enough for our needs
       3. LOGIN app sends back a refresh for 0 seconds.  since it's normal
          output, the session cookie gets set and the pre-session cookie
          cleared (i send content-length so keepalives will stay active)
       4. user gets to /app/rest/of/url, all logged in

pubcookieondemand isn't required, nor will it work for this case,
since we're using an ldap group.  there may be a different way of
doing all this - i just stopped trying once i got it working (but do
know that LOGIN had to return actual content rather than being just
another redirect)  -fmf







Retrieved from "http://mywiki.ncsa.uiuc.edu/wiki/NVO_SSO_mod_proxy_ajp"

						
						

		

	

		

		

	
	

		
Personal tools