2012/9/30 Konstantin Kolinko <knst.koli...@gmail.com>: > 2012/9/28 Christopher Schultz <ch...@christopherschultz.net>: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Konstantin, >> >> On 9/28/12 10:27 AM, Konstantin Kolinko wrote: >>> 2012/9/28 Joan Morales <joan....@gmail.com>: >>>> Hi, >>>> >>>> I have a security issue (hijack session) with JSESSIONID cookie, >>>> >>>> here is the problem: >>>> >>>> I am using an architecture with an Apache2 server in front of >>>> Tomcat, I have configured the SSL in both sides >>>> Apache(ssl_module) and Tomcat(Conectors JSSE), >>>> >>>> 1) I tried using a connectio via AJP protocol to connect between >>>> Apache2 and Tomcat using the following configuration on the >>>> server.xml: >>>> >>>> APACHE(httpd) via HTTP/HTTPS <VirtualHost *:80> ProxyPass / >>>> http://localhost:8080/ <http://educaixahost:8080/> >>>> ProxyPassReverse / http://localhost:8080/ >>>> <http://educaixahost:8080/> </VirtualHost> >>>> >>>> via AJP <VirtualHost *:80> ProxyPass / ajp://localhost:8009/ >>>> <http://educaixahost:8080/> ProxyPassReverse / >>>> ajp://localhost:8009/ <http://educaixahost:8080/> </VirtualHost> >>>> >>>> <VirtualHost *:443> ServerAdmin ad...@mail.com ServerName >>>> localhost:443 SSLProxyEngine on SSLEngine on SSLCertificateFile >>>> "c:/usr/SSL/name.crt" SSLCertificateKeyFile >>>> "c:/usr/SSL/name.key" ProxyPass / https://localhost:8443/ >>>> ProxyPassReverse / https://localhost:8443/ </VirtualHost> >>>> >>>> Tomcat (server.xml) >>>> >>>> <Connector URIEncoding="UTF-8" connectionTimeout="20000" >>>> port="8080" protocol="HTTP/1.1" redirectPort="8443" >>>> secure="true"/> <Connector URIEncoding="UTF-8" port="8009" >>>> protocol="AJP/1.3" redirectPort="8443" scheme="https" >>>> secure="true"/> >>>> >>>> Results for this solution: I still can get the JSESSIONID cookie >>>> >>>> 2) I tried using the HTTP/S protocol to connect between Apache2 >>>> and tomcat using the following configurationl: >>>> >>>> Apache: Same configuration >>>> >>>> Tomcat (server.xml): >>>> >>>> <Connector URIEncoding="UTF-8" connectionTimeout="20000" >>>> port="8080" protocol="HTTP/1.1" redirectPort="8443"/> >>>> >>>> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" >>>> maxThreads="150" scheme="https" secure="true" >>>> keystoreFile="path/name.keystore" keystorePass="password" >>>> clientAuth="false" sslProtocol="TLS" /> >>>> >>>> I also added this on the web.xml: >>>> >>>> <session-config> <session-timeout>30</session-timeout> >>>> <tracking-mode>SSL</tracking-mode> </session-config> >>>> >>>> Results for this solution: >>>> >>>> The JSESSIONID cookie disappears OK Everything works OK if I >>>> access directly to the tomcat and bypass the apache, >>>> (localhost:8443), I can login into the web page and keep the >>>> seesion in every link inside the app >>>> >>>> but, when try to access trought the Apache in https in port 443 , >>>> ( https://localhost:443 <https://localhost/>), I can login the >>>> first time but when I try to access somewhere else in the app I >>>> lose the user session and the app log me out, I checked over the >>>> logs and there are no error neither in apache nor tomcat >>>> >>>> So, Is this solution implementable under this architecture? Am I >>>> missing some configurations? >>>> >>> >>> So you are trying to do >>> >>> Browser -> (HTTPS) -> Apache HTTPD -> (HTTPS) -> Tomcat >>> >>> In this case there are 2 different HTTPS connections. >>> >>> <session-config> <session-timeout>30</session-timeout> >>> <tracking-mode>SSL</tracking-mode> </session-config> >>> >>> The above "SSL" session tracking configuration wouldn't work, >>> because from Tomcat's point of view the only connection that it >>> sees is the one from Apache HTTPD. It knows "sslSession" identifier >>> of this connection only. >>> >>> To use "SSL" session tracking you should connect to Tomcat >>> directly. >> >> What about using Browser -> (HTTPS) -> httpd -> (AJP) - Tomcat? >> >> Since httpd forwards all the SSL information, can Tomcat sniff that >> and successfully use SSL-based session identification? >> > > Well, maybe you are right and it already works. > > Facts: > > 1) From Apache HTTPD side, the mod_ssl documentation says that the id > is available as SSL_SESSION_ID variable. > > At Tomcat side, > 2) when SSL HTTP connection is used to Tomcat, the id is available as > request.getAttibute("javax.servlet.request.ssl_session_id"), (the > attribute name is defined in the Servlet specification). > > In Tomcat there is a constant for it, SSLSupport.SESSION_ID_KEY. > > 3) javax.servlet.SessionTrackingMode.SSL is the constant that > represents the "SSL" session tracking mode. > > 4) See o.a.c.connector.CoyoteAdapter#parseSessionSslId(..) > The method operates on the said request attribute only and on "secure" > flag of the connector. The "secure" flag is configurable. > > 5) So the question is whether the attribute is populated or not. > Looking at AbstractAjpProcessor.prepareRequest(), the ssl_session_id > request attribute is being set there. > > > So what is missing in OP's configuration? > I see that the secure flag on <Connector> was set. >
Regarding mod_jk, see JkExtractSSL option in the docs. It says there what else you need (SSLOptions +StdEnvVars). http://tomcat.apache.org/connectors-doc/reference/apache.html Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
