2012/9/28 Christopher Schultz <ch...@christopherschultz.net>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Konstantin,
>
> On 9/28/12 10:27 AM, Konstantin Kolinko wrote:
>> 2012/9/28 Joan Morales <joan....@gmail.com>:
>>> Hi,
>>>
>>> I have a security issue (hijack session) with JSESSIONID cookie,
>>>
>>> here is the problem:
>>>
>>> I am using an architecture with an Apache2 server in front of
>>> Tomcat, I have configured the SSL in both sides
>>> Apache(ssl_module) and Tomcat(Conectors JSSE),
>>>
>>> 1) I tried using a connectio via AJP protocol to connect between
>>> Apache2 and Tomcat using the following configuration on the
>>> server.xml:
>>>
>>> APACHE(httpd) via HTTP/HTTPS <VirtualHost *:80> ProxyPass /
>>> http://localhost:8080/ <http://educaixahost:8080/>
>>> ProxyPassReverse / http://localhost:8080/
>>> <http://educaixahost:8080/> </VirtualHost>
>>>
>>> via AJP <VirtualHost *:80> ProxyPass / ajp://localhost:8009/
>>> <http://educaixahost:8080/> ProxyPassReverse /
>>> ajp://localhost:8009/ <http://educaixahost:8080/> </VirtualHost>
>>>
>>> <VirtualHost *:443> ServerAdmin ad...@mail.com ServerName
>>> localhost:443 SSLProxyEngine on SSLEngine on SSLCertificateFile
>>> "c:/usr/SSL/name.crt" SSLCertificateKeyFile
>>> "c:/usr/SSL/name.key" ProxyPass / https://localhost:8443/
>>> ProxyPassReverse / https://localhost:8443/ </VirtualHost>
>>>
>>> Tomcat (server.xml)
>>>
>>> <Connector URIEncoding="UTF-8" connectionTimeout="20000"
>>> port="8080" protocol="HTTP/1.1" redirectPort="8443"
>>> secure="true"/> <Connector URIEncoding="UTF-8" port="8009"
>>> protocol="AJP/1.3" redirectPort="8443" scheme="https"
>>> secure="true"/>
>>>
>>> Results for this solution: I still can get the JSESSIONID cookie
>>>
>>> 2) I tried using the HTTP/S protocol to connect between Apache2
>>> and tomcat using the following configurationl:
>>>
>>> Apache: Same configuration
>>>
>>> Tomcat (server.xml):
>>>
>>> <Connector URIEncoding="UTF-8" connectionTimeout="20000"
>>> port="8080" protocol="HTTP/1.1" redirectPort="8443"/>
>>>
>>> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
>>> maxThreads="150" scheme="https" secure="true"
>>> keystoreFile="path/name.keystore" keystorePass="password"
>>> clientAuth="false" sslProtocol="TLS" />
>>>
>>> I also added this on the web.xml:
>>>
>>> <session-config> <session-timeout>30</session-timeout>
>>> <tracking-mode>SSL</tracking-mode> </session-config>
>>>
>>> Results for this solution:
>>>
>>> The JSESSIONID cookie disappears OK Everything works OK if I
>>> access directly to the tomcat and bypass the apache,
>>> (localhost:8443), I can login into the web page and keep the
>>> seesion in every link inside the app
>>>
>>> but, when try to access trought the Apache in https in port 443 ,
>>> ( https://localhost:443 <https://localhost/>), I can login the
>>> first time but when I try to access somewhere else in the app I
>>> lose the user session and the app log me out, I checked over the
>>> logs and there are no error neither in apache nor tomcat
>>>
>>> So, Is this solution implementable under this architecture? Am I
>>> missing some configurations?
>>>
>>
>> So you are trying to do
>>
>> Browser -> (HTTPS) -> Apache HTTPD -> (HTTPS) -> Tomcat
>>
>> In this case there are 2 different HTTPS connections.
>>
>> <session-config> <session-timeout>30</session-timeout>
>> <tracking-mode>SSL</tracking-mode> </session-config>
>>
>> The above "SSL" session tracking configuration wouldn't work,
>> because from Tomcat's point of view the only connection that it
>> sees is the one from Apache HTTPD. It knows "sslSession" identifier
>> of this connection only.
>>
>> To use "SSL" session tracking you should connect to Tomcat
>> directly.
>
> What about using Browser -> (HTTPS) -> httpd -> (AJP) - Tomcat?
>
> Since httpd forwards all the SSL information, can Tomcat sniff that
> and successfully use SSL-based session identification?
>
Well, maybe you are right and it already works.
Facts:
1) From Apache HTTPD side, the mod_ssl documentation says that the id
is available as SSL_SESSION_ID variable.
At Tomcat side,
2) when SSL HTTP connection is used to Tomcat, the id is available as
request.getAttibute("javax.servlet.request.ssl_session_id"), (the
attribute name is defined in the Servlet specification).
In Tomcat there is a constant for it, SSLSupport.SESSION_ID_KEY.
3) javax.servlet.SessionTrackingMode.SSL is the constant that
represents the "SSL" session tracking mode.
4) See o.a.c.connector.CoyoteAdapter#parseSessionSslId(..)
The method operates on the said request attribute only and on "secure"
flag of the connector. The "secure" flag is configurable.
5) So the question is whether the attribute is populated or not.
Looking at AbstractAjpProcessor.prepareRequest(), the ssl_session_id
request attribute is being set there.
So what is missing in OP's configuration?
I see that the secure flag on <Connector> was set.
Maybe debugging (with a breakpoint in
CoyoteAdapter#parseSessionSslId(..)) will help?
http://wiki.apache.org/tomcat/FAQ/Developing#Debugging
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
