Versions Compared

Old Version 13

changes.mady.by.user peter

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Install Apache httpd first. It's by far the easiest if version 2.2 or 2.4 is used, because version 2.2 includes these versions include mod_proxy_ajp in the main distribution. If you're using an older version, you'll need to install mod_jk and set that up independently.

...

  • Tomcat: Tomcat has an AJP 1.3 connector enabled by default.
    • Setting the tomcatAuthentication="false" attribute on the AJP <Connector> element allows for passing REMOTE_USER from Apache httpd. See Tomcat's AJP Connector documentation for more.

  • Jetty: Jetty's documentation has good instructions on how to enable both Jetty and your application to listen on AJP 1.3.

    Info
    titleJetty 9 drops AJP

    Note that AJP support has been dropped starting from Jetty version 9. They recommend using mod_proxy_http instead of mod_proxy_ajp.

Be careful that there is no direct HTTP listener opened by the servlet container. If, for example, there's an HTTP connector listening on port 8080 and no interceding firewall, users would be able to directly access the servlet on port 8080, which bypasses Apache httpd. This also means they would bypass Shibboleth authentication and authorization.

...

  • Tomcat: Add a packetSize="65536" to the AJP <Connector> element.

  • Apache httpd with mod_jk: Add a worker.<name>.max_packet_size directive to the worker definition.

    Code Block
    worker.<name>.max_packet_size=65536

  • Apache httpd with mod_proxy_ajp: Add a ProxyIOBufferSize directive to Apache httpd's configuration.

    Code Block
    ProxyIOBufferSize 65536

...

Add a line to your Apache httpd configuration, such as in httpd.conf, to map requests on the proper virtual hosts to your application through AJP 1.3.

Code Block

ProxyPass /my-application ajp://localhost:8009/my-application

...

Add a line to your Apache httpd configuration on the proper virtual host, such as in httpd.conf, to trigger Shibboleth session initiation and authentication for your application:

Code Block

<Location /my-application>
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  require valid-user
</Location>

Since environment variables are not passed by mod_proxy_ajp unless they have AJP_ prefixes, you'll also need to add attributePrefix="AJP_" to the <ApplicationDefaults> (or appropriate <ApplicationOverride>) element in your shibboleth2.xml:

Code Block
xml
xml

<ApplicationDefaults id="default" policyId="default"
    entityID="https://sp.example.org/shibboleth"
    REMOTE_USER="eppn persistent-id targeted-id"
    signing="false" encryption="false"
    attributePrefix="AJP_">

...