That was it. I lost an entire day on that. I greatly appreciate your time!
Lance
On 4/23/20, 1:30 PM, "Mark Thomas" <ma...@apache.org> wrote:
On 23/04/2020 18:57, Campbell, Lance wrote:
> I am upgrading from Tomcat 9.0.30 to 9.0.31 . This same issue occurs
> with any newer version of Tomcat as well. I have been using Tomcat since
> the earliest version. I have never had an issue with upgrading or
> installing until now.
>
> I have a Apache web server with mod_jk and mod_shib. I have a separate
> tomcat application server. When I upgraded from 9.0.30 to 9.0.31
> Shibboleth secured tomcat web pages will not work. Non Shibboleth pages
> work fine. If I revert tomcat to 9.0.30 it works fine. I have a
> feeling that there is something new between these two versions that is
> preventing the passing of shibboleth information.
>
> When I go to a web page that is protected by Shibboleth I get a *HTTP
> Status 403 – Forbidden.*
>
> In Shibboleth I see no errors.
>
> Tomcat does not appear to be able to get the page request.
>
> I see the error in the apache web server log when it tries to send the
> request to the Shibboleth IDP.
>
> What am I missing? I would imagine other people have had this issue.
I'm guessing that Shibboleth passes information from httpd to Tomcat via
request attributes. Part of the tightening up of security as a result of
CVE-2020-1938 was restricting the acceptable request attributes.
See allowedRequestAttributesPattern in
http://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html#Standard_Implementations
The quick and dirty test is to set allowedRequestAttributesPattern=".*"
for your AJP connector and see if that fixes it.
If it does, you need to find out what request attributes Shibboleth is
setting and then create a pattern to allow them (the pattern only needs
to match the extra ones, the standard ones are always allowed through).
We don't currently log the problematic attributes. Enabling debug
logging for mod_jk should allow you to figure out the request names if
the Shibboleth documentation doesn't document them.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
