2012/9/28 Joan Morales <[email protected]>:
> Hi,
>
> I have a security issue (hijack session) with JSESSIONID cookie,
>
> here is the problem:
>
> I am using an architecture with an Apache2 server in front of Tomcat, I
> have configured the SSL in both sides Apache(ssl_module) and
> Tomcat(Conectors JSSE),
>
> 1) I tried using a connectio via AJP protocol to connect between Apache2
> and Tomcat using the following configuration on the server.xml:
>
> APACHE(httpd)
> via HTTP/HTTPS
> <VirtualHost *:80>
> ProxyPass / http://localhost:8080/ <http://educaixahost:8080/>
> ProxyPassReverse / http://localhost:8080/ <http://educaixahost:8080/>
> </VirtualHost>
>
> via AJP
> <VirtualHost *:80>
> ProxyPass / ajp://localhost:8009/ <http://educaixahost:8080/>
> ProxyPassReverse / ajp://localhost:8009/ <http://educaixahost:8080/>
> </VirtualHost>
>
> <VirtualHost *:443>
> ServerAdmin [email protected]
> ServerName localhost:443
> SSLProxyEngine on
> SSLEngine on
> SSLCertificateFile "c:/usr/SSL/name.crt"
> SSLCertificateKeyFile "c:/usr/SSL/name.key"
> ProxyPass / https://localhost:8443/
> ProxyPassReverse / https://localhost:8443/
> </VirtualHost>
>
> Tomcat (server.xml)
>
> <Connector URIEncoding="UTF-8" connectionTimeout="20000" port="8080"
> protocol="HTTP/1.1" redirectPort="8443" secure="true"/>
> <Connector URIEncoding="UTF-8" port="8009" protocol="AJP/1.3"
> redirectPort="8443" scheme="https" secure="true"/>
>
> Results for this solution:
> I still can get the JSESSIONID cookie
>
> 2) I tried using the HTTP/S protocol to connect between Apache2 and
> tomcat using the following configurationl:
>
> Apache:
> Same configuration
>
> Tomcat (server.xml):
>
> <Connector URIEncoding="UTF-8" connectionTimeout="20000" port="8080"
> protocol="HTTP/1.1" redirectPort="8443"/>
>
> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
> maxThreads="150" scheme="https" secure="true"
> keystoreFile="path/name.keystore" keystorePass="password"
> clientAuth="false" sslProtocol="TLS" />
>
> I also added this on the web.xml:
>
> <session-config>
> <session-timeout>30</session-timeout>
> <tracking-mode>SSL</tracking-mode>
> </session-config>
>
> Results for this solution:
>
> The JSESSIONID cookie disappears OK
> Everything works OK if I access directly to the tomcat and bypass the
> apache, (localhost:8443), I can login into the web page and keep the
> seesion in every link inside the app
>
> but, when try to access trought the Apache in https in port 443 , (
> https://localhost:443 <https://localhost/>), I can login the first time but
> when I try to access somewhere else in the app I lose the user session and
> the app log me out, I checked over the logs and there are no error neither
> in apache nor tomcat
>
> So, Is this solution implementable under this architecture?
> Am I missing some configurations?
>
So you are trying to do
Browser -> (HTTPS) -> Apache HTTPD -> (HTTPS) -> Tomcat
In this case there are 2 different HTTPS connections.
<session-config>
<session-timeout>30</session-timeout>
<tracking-mode>SSL</tracking-mode>
</session-config>
The above "SSL" session tracking configuration wouldn't work, because
from Tomcat's point of view the only connection that it sees is the
one from Apache HTTPD. It knows "sslSession" identifier of this
connection only.
To use "SSL" session tracking you should connect to Tomcat directly.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
