[dvn-auth] Fwd: User sessions mixed up when Java app deployed to Glassfish is fronted with Apache httpd

Philip Durbin philip_durbin at harvard.edu
Thu Oct 30 10:11:49 EDT 2014


I'm seeing a very strange (and scary!) bug now that we're running
fronting Glassfish with Apache at
https://dataverse-demo.iq.harvard.edu

I've described the bug to the Shibboleth mailing list (initial message
below) and there have been some follow up posts:

- http://shibboleth.net/pipermail/users/2014-October/017878.html
- http://shibboleth.net/pipermail/users/2014-October/017879.html
- http://shibboleth.net/pipermail/users/2014-October/017885.html

Obviously, we can't ship Shibboleth support with a bug like this. Long
time readers of this list know that initially I tried a pure Java
solution called OIOSAML but the current approach is to use mod_shib,
which requires fronting Glassfish with Apache.

If anyone has any ideas what the problem might be, please let me know!

Thanks!

Phil

---------- Forwarded message ----------
From: Philip Durbin <philip_durbin at harvard.edu>
Date: Wed, Oct 29, 2014 at 6:47 PM
Subject: User sessions mixed up when Java app deployed to Glassfish is
fronted with Apache httpd
To: Shib Users <users at shibboleth.net>

By following the Shibboleth wiki*, I'm now fronting my Java
application server (Glassfish) with Apache httpd so I can use mod_shib
and have Shibboleth attributes passed to my Java application.

It works (great!) but now that I've configured our beta site this way
I have a new, terrifying problem...

Users' sessions are getting mixed up!

This is just a demo/beta site but obviously this is a show stopper for
us moving forward with mod_shib in production. Even on the demo site
I'm tempted to pull Apache httpd out of our setup because I don't want
people are looking at the demo site to get scared by suddenly seeing
that they are logged in as someone else! We never see this problem
when we run only Glassfish. The scrambled user sessions has something
to do with introducing Apache httpd into the mix.

I sure hope there's a simple fix for this. Let me explain how I've set
things up.

In my Apache httpd config I have these lines:

# don't pass paths used by rApache and TwoRavens to Glassfish
ProxyPassMatch ^/RApacheInfo$ !
ProxyPassMatch ^/custom !
ProxyPassMatch ^/rookzelig !
# don't pass paths used by Shibboleth to Glassfish
ProxyPassMatch ^/Shibboleth.sso !
ProxyPassMatch ^/shibboleth-ds !
# pass everything else to Glassfish
ProxyPass / ajp://localhost:8009/
<Location /shib.xhtml>
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  require valid-user
</Location>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

To enable AJP communication between Glassfish and Apache httpd I use
this command:

asadmin create-network-listener --protocol http-listener-1
--listenerport 8009 --jkenabled true jk-connector

I'm running on CentOS 6.5 and using httpd-2.2.15 which means I'm using
mod_proxy_ajp, as the wiki recommends (rather than mod_jk). I'm
running GlassFish Server Open Source Edition 4.0 (build 89).

Here's where we are tracking problem on our end:
https://github.com/IQSS/dataverse/issues/647

Any advice is welcome! Please tell me what I'm doing wrong! I'm happy
to point out relevant bits of the code and config, all of which is on
GitHub, but I think the key information is above.

Phil

* "In the setup described here, requests from browsers are intercepted
first by Apache httpd. The Shibboleth SP then checks these requests to
enforce authentication requirements. After an assertion is received
and a Shibboleth session is established, the SP or Apache httpd can
enforce access control rules, or it can just pass attributes to the
application. The request is then forwarded to the servlet through the
use of the AJP13 protocol. Subsequent requests can leverage the
Shibboleth session or a session maintained by the application or
servlet container to persist the login." under "Install Shibboleth to
protect Java Servlets" at
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPJavaInstall

p.s. People reporting similar problems (and how tricky it is to
reproduce reliably):

- http://jeecookbook.blogspot.com/2013/07/modjk-session-mixed-between-users.html
- http://stackoverflow.com/questions/14731806/session-mix-up-apache-httpd-with-mod-jk-tomcat-spring-security-serving-data-of-other-user
- http://stackoverflow.com/questions/14845493/spring-security-jsf-hibernate-accidental-session-hijacking-on-tomcat

--
Philip Durbin
Software Developer for http://dataverse.org
http://www.iq.harvard.edu/people/philip-durbin


-- 
Philip Durbin
Software Developer for http://dataverse.org
http://www.iq.harvard.edu/people/philip-durbin


More information about the dvn-auth mailing list