Discussion:
Passing Shibboleth SP Headers to Tomcat on IIS 7 with Tomcat Connector
Gary Gwin
2014-09-19 23:01:19 UTC
Permalink
I have a Shibboleth SP IIS 7 configuration working with multiple
applications in the same "Default Web Site" vhost using <RequestMaps>
that match on patterns like this:

<PathRegex regex="idp/1" applicationId="idp1" authType="shibboleth"
requireSession="true"/>
<PathRegex regex="idp/2" applicationId="idp2" authType="shibboleth"
requireSession="true"/>

Shibboleth SP only populates headers when the path above is matched,
which makes sense. If I map the same path to the Tomcat Connector, then
Shibboleth SP appears to be bypassed and the request is sent to Tomcat
directly. I've tried various orderings of the respective ISAPI filters
with no luck.

Is there a known way to configure Shibboleth SP with IIS 7, the Tomcat
Connector and Tomcat such that the Shibboleth headers are sent to Tomcat?

Or, is there an alternative way for a Servlet in Tomcat to get a handle
to such Shibboleth information?

Cheers,

Gary
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Cantor, Scott
2014-09-19 23:12:58 UTC
Permalink
Post by Gary Gwin
Shibboleth SP only populates headers when the path above is matched,
which makes sense. If I map the same path to the Tomcat Connector, then
Shibboleth SP appears to be bypassed and the request is sent to Tomcat
directly. I've tried various orderings of the respective ISAPI filters
with no luck.
If you're seeing the SP redirect and establish a session, then it's not
being bypassed, so there's no guesswork involved. If a fresh access
doesn't redirect away, then it definitely isn't running. If it does, then
it is, and the headers are set.
Post by Gary Gwin
Is there a known way to configure Shibboleth SP with IIS 7, the Tomcat
Connector and Tomcat such that the Shibboleth headers are sent to Tomcat?
I assume the normal way just works, it certainly has for others.
Post by Gary Gwin
Or, is there an alternative way for a Servlet in Tomcat to get a handle
to such Shibboleth information?
No.

-- Scott
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Gary Gwin
2014-09-19 23:35:20 UTC
Permalink
Hi Scott,
Post by Cantor, Scott
I assume the normal way just works, it certainly has for others.
That's good to know. I assume the "normal way" is configuring
applications at the vhost level as that's how the documentation is
written. When I try it with regex URL path matching, Shibboleth SP works
fine, but the environment variables only populate for the matched path.
When I configure uriworkermap.properties with the matched path the
requests are mapped to Tomcat bypassing Shibboleth.

I'll try a test the "normal way" and get back with the results.

Thanks for the quick response.

Gary
Post by Cantor, Scott
Post by Gary Gwin
Shibboleth SP only populates headers when the path above is matched,
which makes sense. If I map the same path to the Tomcat Connector, then
Shibboleth SP appears to be bypassed and the request is sent to Tomcat
directly. I've tried various orderings of the respective ISAPI filters
with no luck.
If you're seeing the SP redirect and establish a session, then it's not
being bypassed, so there's no guesswork involved. If a fresh access
doesn't redirect away, then it definitely isn't running. If it does, then
it is, and the headers are set.
Post by Gary Gwin
Is there a known way to configure Shibboleth SP with IIS 7, the Tomcat
Connector and Tomcat such that the Shibboleth headers are sent to Tomcat?
I assume the normal way just works, it certainly has for others.
Post by Gary Gwin
Or, is there an alternative way for a Servlet in Tomcat to get a handle
to such Shibboleth information?
No.
-- Scott
--
Gary Gwin
Cafesoft
858.268.5100 x501
http://www.cafesoft.com

*****************************************************************
* *
* Cams is a web single sign-on software solution for Apache, *
* IIS, WebLogic, WebSphere, JBoss and Tomcat web servers. *
* *
*****************************************************************
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Cantor, Scott
2014-09-20 01:54:40 UTC
Permalink
Post by Gary Gwin
That's good to know. I assume the "normal way" is configuring
applications at the vhost level as that's how the documentation is
written.
No, the filter running or not is an IIS question.
Post by Gary Gwin
When I try it with regex URL path matching, Shibboleth SP works
fine, but the environment variables only populate for the matched path.
When I configure uriworkermap.properties with the matched path the
requests are mapped to Tomcat bypassing Shibboleth.
The SP isn't in control of that, IIS is.

-- Scott
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Peter Schober
2014-09-20 10:30:47 UTC
Permalink
Post by Gary Gwin
Or, is there an alternative way for a Servlet in Tomcat to get a
handle to such Shibboleth information?
Kind of: Replacing MS-IIS with Apache httpd and mod_proxy_ajp.
That also works with environment variables which is preferable to
relying on HTTP request headers. (Not sure what the connector for
MS-IIS you're using supports, you only mentioned headers so far).
-peter
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Cantor, Scott
2014-09-20 17:32:18 UTC
Permalink
Post by Peter Schober
Post by Gary Gwin
Or, is there an alternative way for a Servlet in Tomcat to get a
handle to such Shibboleth information?
Kind of: Replacing MS-IIS with Apache httpd and mod_proxy_ajp.
That also works with environment variables which is preferable to
relying on HTTP request headers. (Not sure what the connector for
MS-IIS you're using supports, you only mentioned headers so far).
Their connector might handle more, but the old APIs the SP uses in IIS
don't have the ability to set anything but headers, so there's nothing
else it can pass along.

-- Scott
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Peter Schober
2014-09-22 11:15:46 UTC
Permalink
Post by Cantor, Scott
Their connector might handle more, but the old APIs the SP uses in IIS
don't have the ability to set anything but headers, so there's nothing
else it can pass along.
Ah, OK.

I also re-checked and realized that the Tomcat Connector reference was
about mod_jk (which I didn't know this was available for MS-IIS as
well), which is actually more powerful than mod_proxy_ajp, but usually
needs to be compiled seperately (thereby becoing a maintenance issue)
and has much more complex configuration, whereas mod_proxy_ajp is
included with later httpd 2.2 and 2.4 builds and will often Just Work.

All of that is moot, of course, of the APIs excercized by the SP only
support generation of HTTP request headers, not environment variables.

Sorry for side-tracking the discussion.
-peter
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Loading...