Forward

This page was originally based on the ShibbolizedConfluence page so it has a number of original contributions from Scott Cantor and others (for shib'ing confluence). Mike Douglass, Michael Gettes and Gary Weaver provided most of the rest of the critical information.

Brief Description

By default all of the authentication (the ability for a user to login, not what he has access to) information is in apache-tomcat-5.5.xx/conf/tomcat-users.xml in the quickstart folder.
The following method of Shibbolization of Bedework involves setting up Apache and Tomcat to use Shibboleth for authentication instead of using Tomcat's tomcat-users config. Since Shibboleth is a method of SSO, if you login via Shibboleth in any Shibbolized site, you will not have to login again (at least for as long as the browser session lasts or longer/shorter depending on your setup).

Bedework Setup

You might want to try Shibbolizing Bedework Quickstart before you make any other modifications or configuration changes to Bedework. Shibbolization can hard enough on its own.
After you Shibbolize, you have to temporarily "unshibbolize" (comment out your mod_shib configuration in shib.conf and restart apache and tomcat) when you want to give users administrative rights via /caladmin -> Communications (for example) -> Manage Admin Groups and Manage Admin Roles.

Setting Up Resources

Shibbolization requires that all Shibbolized files are served via HTTPS/SSL (I know that is oversimplification, but it is good enough for now). However, Bedework does not support serving resources (specifically XSLT templates) over HTTPS/SSL. So you will need to host resources via HTTP. If you don't do this you may get errors like: "javax.servlet.ServletException: File not found: https://yourbedeworkserver:443/ucalrsrc" (note: you may also get a similar error if you forgot to copy webapps/ROOT from the quickstart (if you are using your own Tomcat instead of the one in the quickstart, in which case the fix is to copy the ROOT directory over). If you really need Bedework to serve everything via SSL, raise that issue in the Bedework mailing lists (and/or add a ticket/comment on an existing ticket once they open their task system back up to the public).

Choose one of the following methods to serve Bedework resources via HTTP...

Host Resources from Non-Shibbolized Webserver

Move all directories under ROOT that contain "rsrc" in the name to a webserver. You may be better off serving resources via a different host/virtual host to avoid the complexity of rewrites/etc. to get Shibboleth to work with it.
Follow the directions below for "How to Setup appRoots" and specify the fully qualified URL to the webserver and directory that contains the resources. For example, if you copy all of the directories whose names contain "rsrc" to http://yourresourceserver/optional/path/to/resources/ then the appRoots would look like this:

...
<appRoot>http://yourresourceserver/optional/path/to/resources/caladminrsrc</appRoot>
...
<appRoot>http://yourresourceserver/optional/path/to/resources/calrsrc</appRoot>
...
<appRoot>http://yourresourceserver/optional/path/to/resources/calrsrc</appRoot>
...
<appRoot>http://yourresourceserver/optional/path/to/resources/ucalrsrc</appRoot>
...

The caladminrsrc, calrsrc, ucalrsrc here are not the only directories; they are just directory prefixes (consider them to have * at the end).

Host Resources from Tomcat

Just say no! Bedework requires that its resources be hosted via HTTP and not HTTPS so you might be tempted as we were to host them in Tomcat. But, since the original writing of this document I've learned that this is a really bad idea. You shouldn't even have 8080 (or whatever port your Tomcat HTTP connector is on) open/defined on Tomcat as it will allow people to bypass Shibboleth auth. We didn't get bitten in production (we were perplexed in dev for a few weeks why some users got the grey login screen- it was because they were using the 8080 URL!) but it would be awful to allow that. So if you take away anything from this document, please remember that only the JK/AJP port connector should be defined for Tomcat! Thanks to Scott Cantor for seeing this.
You can host resources via apache that just happened to be located in Tomcat's ROOT dir though. That is the config example below.

How to Setup appRoots

Choose one of the following two methods

Set appRoots via Single options.xml File per Host Requiring Application Rebuild

If you are using the quickstart to build and you follow the instructions in the Bedework deployment guide in its user manual, then you need to change the appRoots in the config file that it references as "/bwbuild/myconfig.options.xml". This is basically the preferred method, even though it requires a rebuild.

If you need to easily be able to build Bedework with different configurations for different environments, you just need to set the property "org.bedework.user.build.properties" to point to the build.properties that contains the reference to the customized options.xml file per host. It is a little convoluted, but you can use Ant to do this.

...tomcat]$ find . -name "options.xml" -exec grep -H appRoot {} \;
./webapps/ucal/WEB-INF/classes/properties/calendar/options.xml:          <appRoot>http://yourbedeworkserver/caladminrsrc</appRoot>
./webapps/ucal/WEB-INF/classes/properties/calendar/options.xml:          <appRoot>http://yourbedeworkserver/calrsrc</appRoot>
./webapps/ucal/WEB-INF/classes/properties/calendar/options.xml:          <appRoot>http://yourbedeworkserver/calrsrc</appRoot>
./webapps/ucal/WEB-INF/classes/properties/calendar/options.xml:          <appRoot>http://yourbedeworkserver/ucalrsrc</appRoot>
./webapps/pubcaldav/WEB-INF/classes/properties/calendar/options.xml:          <appRoot>http://yourbedeworkserver/caladminrsrc</appRoot>
./webapps/pubcaldav/WEB-INF/classes/properties/calendar/options.xml:          <appRoot>http://yourbedeworkserver/calrsrc</appRoot>
./webapps/pubcaldav/WEB-INF/classes/properties/calendar/options.xml:          <appRoot>http://yourbedeworkserver/calrsrc</appRoot>
./webapps/pubcaldav/WEB-INF/classes/properties/calendar/options.xml:          <appRoot>http://yourbedeworkserver/ucalrsrc</appRoot>
./webapps/caladmin/WEB-INF/classes/properties/calendar/options.xml:          <appRoot>http://yourbedeworkserver/caladminrsrc</appRoot>
./webapps/caladmin/WEB-INF/classes/properties/calendar/options.xml:          <appRoot>http://yourbedeworkserver/calrsrc</appRoot>
./webapps/caladmin/WEB-INF/classes/properties/calendar/options.xml:          <appRoot>http://yourbedeworkserver/calrsrc</appRoot>
./webapps/caladmin/WEB-INF/classes/properties/calendar/options.xml:          <appRoot>http://yourbedeworkserver/ucalrsrc</appRoot>
./webapps/soedept/WEB-INF/classes/properties/calendar/options.xml:          <appRoot>http://yourbedeworkserver/caladminrsrc</appRoot>
./webapps/soedept/WEB-INF/classes/properties/calendar/options.xml:          <appRoot>http://yourbedeworkserver/calrsrc</appRoot>
./webapps/soedept/WEB-INF/classes/properties/calendar/options.xml:          <appRoot>http://yourbedeworkserver/calrsrc</appRoot>
./webapps/soedept/WEB-INF/classes/properties/calendar/options.xml:          <appRoot>http://yourbedeworkserver/ucalrsrc</appRoot>
./webapps/ucaldav/WEB-INF/classes/properties/calendar/options.xml:          <appRoot>http://yourbedeworkserver/caladminrsrc</appRoot>
./webapps/ucaldav/WEB-INF/classes/properties/calendar/options.xml:          <appRoot>http://yourbedeworkserver/calrsrc</appRoot>
./webapps/ucaldav/WEB-INF/classes/properties/calendar/options.xml:          <appRoot>http://yourbedeworkserver/calrsrc</appRoot>
./webapps/ucaldav/WEB-INF/classes/properties/calendar/options.xml:          <appRoot>http://yourbedeworkserver/ucalrsrc</appRoot>
./webapps/cal/WEB-INF/classes/properties/calendar/options.xml:          <appRoot>http://yourbedeworkserver/caladminrsrc</appRoot>
./webapps/cal/WEB-INF/classes/properties/calendar/options.xml:          <appRoot>http://yourbedeworkserver/calrsrc</appRoot>
./webapps/cal/WEB-INF/classes/properties/calendar/options.xml:          <appRoot>http://yourbedeworkserver/calrsrc</appRoot>
./webapps/cal/WEB-INF/classes/properties/calendar/options.xml:          <appRoot>http://yourbedeworkserver/ucalrsrc</appRoot>

How to Repackage and Reconfigure Bedework Per Host

As you may have noticed, it is expected in Bedework that the easiest way to change appRoot is by rebuilding the application. And if you have to deploy to multiple hosts, you'll probably want to setup different configuration for each host and rebuild without having to write a ton of scripts or do a lot of manual work (the former of which is time consuming and the latter is error-prone).

Here is an example repackaging script that allows you to specify different appRoot configurations of Bedework:

<?xml version="1.0" encoding="UTF-8"?>
<project name="event-calendar" default="build">

    <!-- Example repackaging script written by David Eisinger and Gary Weaver of Duke University -->

    <!-- It assumes a directory layout like:

         /bedework-(version)/ - directory that is the unaltered bedework distribution as an svn-external to
                                https://www.bedework.org/svn/bedework/releases/bedework-(version). Name specified as repackaged.bw.dir property.

         /build.xml   - this file

         /config/     - directory containing a directory for every host you have. In each of those host directories, you create/copy a
                        repackaged-bedework.build.properties, repackaged-bedework.options.xml, repackaged-bedework.properties files corresponding to the
                        files listed in the user manual as bedework.build.properties, myconfig.options.xml, and myconfig.properties respectively

         /lib/build/  - should contain appropriate ant-contrib and jsch jars, for example: ant-contrib-1.0b3.jar and jsch-0.1.36.jar

         /lib/schema/ - should contain appropriate database jars for all database types you may need to use, such as mysql-connector-java-5.0.5-bin.jar
                        and ojdbc14.jar

         /src/main/   - directory that mirrors the bedework distribution directory structure above that you can use to overlay customized files atop Bedework
                        at your own risk (not needed for Shibbolization)
    -->

    <dirname property="basedir" file="${ant.file}"/>

    <!-- Bedework build needs this. Assumes you have put this jar into ./lib/build -->
    <taskdef resource="net/sf/antcontrib/antcontrib.properties" classpath="${basedir}/lib/build/ant-contrib-1.0b3.jar"/>

    <!-- Since these properties are inherited by the Bedework build, prefix them with "repackaged" to keep them from unintentionally overriding Bedework properties -->

    <!-- repackaged specific files to replace original Bedework files with -->
    <property name="repackaged.src.dir" value="${basedir}/src/main"/>

    <!-- The unaltered bedework distribution as an svn-external to https://www.bedework.org/svn/bedework/releases/(release name) -->
    <!-- Notes: * You may rather redo this to use the quickstart distribution instead to avoid slowness. -->
    <!--        * They seem to have been releasing changes to Bedework using the same release number, so it isn't necessarily static. That is not good. -->
    <property name="repackaged.bedework.original.version" value="bedework-3.4"/>
    <property name="repackaged.bw.dir" value="${basedir}/${repackaged.bedework.original.version}"/>

    <!-- Temp location where we will copy the original bedework files and then overlay them with our own files -->
    <property name="repackaged.tmp.dir" value="${basedir}/build-tmp"/>

    <!-- Build artifact directory -->
    <property name="repackaged.dist.dir" value="${basedir}/dist"/>

    <!-- Directory containing a directory for each host, each containing host specific config -->
    <property name="repackaged.config.dir" value="${basedir}/config"/>

    <!-- Host-specific config -->
    <property name="repackaged.specific.host.config.dir" value="${repackaged.config.dir}/${myhost}"/>

    <!-- Where host-specific config gets copied to before the build during apply-changes. This is referred to in each host-specific *build.properties -->
    <property name="repackaged.tmp.config.dir" value="${repackaged.tmp.dir}/repackaged-config"/>

    <!-- for copying Bedeworks distributables other than webapps and war, such as the dumpres schema generation utility -->
    <property name="repackaged.tmp.dir.dist" value="${repackaged.tmp.dir}/dist"/>
    <property name="repackaged.tmp.dir.dist.dumpres.zip" value="${repackaged.tmp.dir.dist}/dumpres.zip"/>
    <property name="repackaged.dist.schema.dir" value="${repackaged.dist.dir}/schema"/>

    <!-- This must be set for Bedework to find our config -->
    <property name="org.bedework.user.build.properties" value="${repackaged.tmp.config.dir}/repackaged-bedework.build.properties"/>

    <!-- Specify the location where the Bedework build will run -->
    <property name="org.bedework.project.bedework" value="${repackaged.tmp.dir}"/>

    <!-- Instead of Tomcat dir, we put artifacts into dist -->
    <property name="org.bedework.appserver.dir" value="${repackaged.dist.dir}"/>

    <!-- Note: update the example so they mirror the directory names you setup in config. Each ./config/directoryname should contain  -->
    <property name="ant.cmd.examples"
               value="for dev: ant -Dmyhost=dev.mycompany.com, for test: ant -Dmyhost=test.dadscompany.com, for prod: ant -Dmyhost=prod.momscompany.com"/>

    <!-- Verify req'd properties that are needed are available -->
    <target name="init">
        <fail message="Please specify -Dmyhost=(directory name within ./config dir containing your host config) on the command-line. Examples: ${ant.cmd.examples}"
               unless="myhost"/>
    </target>

    <target name="clean">
        <delete dir="${repackaged.tmp.dir}"/>
        <delete dir="${repackaged.dist.dir}"/>
    </target>

    <target name="clean-tmp">
        <delete dir="${repackaged.tmp.dir}"/>
    </target>

    <target name="copy-bedework" depends="clean">
        <copy todir="${repackaged.tmp.dir}" includeEmptyDirs="true" overwrite="true">
            <fileset dir="${repackaged.bw.dir}">
                <exclude name="**/.svn/**"/>
            </fileset>
        </copy>
    </target>

    <target name="apply-changes" depends="copy-bedework, apply-host-config, apply-overlay-files"/>

    <!-- Apply host-specific config -->
    <target name="apply-host-config" depends="init, copy-bedework, myhost-config-exists">
        <mkdir dir="${repackaged.tmp.config.dir}"/>
        <copy todir="${repackaged.tmp.config.dir}" includeEmptyDirs="true" overwrite="true" verbose="true">
            <fileset dir="${repackaged.specific.host.config.dir}"/>
        </copy>
    </target>

    <!-- Check existance of config dir for specified myhost parameter -->
    <target name="set-myhost-config-is-present" depends="init">
        <available property="myhost-config-is-present" file="${repackaged.specific.host.config.dir}"/>
    </target>

    <!-- Fail if config/(myhost param) dir not present -->
    <target name="myhost-config-exists" depends="init, set-myhost-config-is-present" unless="myhost-config-is-present">
        <fail
          message="Please specify myhost parameter. Directory ${repackaged.specific.host.config.dir} not found." />
    </target>

    <target name="apply-overlay-files" depends="copy-bedework">
        <copy todir="${repackaged.tmp.dir}" includeEmptyDirs="true" overwrite="true" verbose="true">
            <fileset dir="${repackaged.src.dir}"/>
        </copy>
    </target>

    <target name="build-bedework" depends="clean, copy-bedework, apply-changes">
        <ant antfile="${repackaged.tmp.dir}/build.xml" inheritrefs="true" inheritAll="true" target="clean.deploy"/>
    </target>

<target name="javadoc-plain-bedework">
  <mkdir dir="${repackaged.dist.dir}/originalapidocs-generated/${repackaged.bedework.original.version}/api"/>
  <javadoc
           destdir="${repackaged.dist.dir}/originalapidocs-generated/${repackaged.bedework.original.version}/api"
           author="true"
           version="true"
           use="true"
           windowtitle="${repackaged.bedework.original.version}"
           noindex="false"
           nohelp="false"
           nonavbar="false"
           notree="false"
           nodeprecated="false"
           nodeprecatedlist="false"
           failonerror="true"
           >

    <fileset dir="${repackaged.bedework.original.version}" defaultexcludes="yes">
      <include name="**/src/**"/>
      <exclude name="**/deployment/resources/javascript/**"/>
      <exclude name="**/package.**"/>
      <exclude name="**/svn-commit**"/>
    </fileset>

    <doctitle><![CDATA[<h1>${repackaged.bedework.original.version}</h1>]]></doctitle>
    <bottom><![CDATA[<i>Javadocs generated by Duke University OIT using the source from ${repackaged.bedework.original.version}. Because the source is not static, this documentation may need to be updated.</i>]]></bottom>
    <tag name="todo" scope="all" description="To do:"/>
  </javadoc>
</target>

    <target name="setup-root-tar-gz" depends="build-bedework">
        <tar tarfile="${repackaged.dist.dir}/webapps/ROOT.tar" basedir="${repackaged.dist.dir}/webapps" includes="ROOT/**"/>
        <delete dir="${repackaged.dist.dir}/webapps/ROOT"/>
        <gzip zipfile="${repackaged.dist.dir}/webapps/ROOT.tar.gz" src="${repackaged.dist.dir}/webapps/ROOT.tar"/>
        <delete file="${repackaged.dist.dir}/webapps/ROOT.tar"/>
    </target>

    <target name="setup-dumpres" depends="build-bedework">
        <!-- Unzip the schema utility and copy DB driver jars into it, so it is ready to go if needed -->
        <mkdir dir="${repackaged.dist.schema.dir}"/>
        <unzip src="${repackaged.tmp.dir.dist.dumpres.zip}" dest="${repackaged.dist.schema.dir}"/>
        <copy overwrite="true" file="${basedir}/datasets/groups_cats_cals_subs_views_impl_team_users/initbedework.xml" todir="${repackaged.dist.schema.dir}/dumpres/data"/>
        <copy todir="${repackaged.dist.schema.dir}/dumpres/lib" includeEmptyDirs="true" overwrite="true" verbose="true">
            <fileset dir="${basedir}/lib/schema"/>
        </copy>
        <chmod file="${repackaged.dist.schema.dir}/dumpres/bwrun" perm="ugo+rx"/>
    </target>

    <!-- Just doing this for development ONLY. Test should be a copy of production, and we should never touch production via the Ant script as it would be too easy to screw something up. -->
    <!-- Requires you to use MySQL Administrator or similar tool to blow away tables in development schema. Be absolutely sure that dumpres DB settings and other DB settings are correct! -->
    <target name="create-development-db" depends="build">
        <!-- call dumpres script to create schema -->
        <exec dir="${repackaged.dist.schema.dir}/dumpres" failonerror="true" executable="/bin/sh">
           <arg value="-c"/>
           <arg value="./bwrun schema-export"/>
        </exec>
        <!-- call dumpres script to populate with development dataset -->
        <exec dir="${repackaged.dist.schema.dir}/dumpres" failonerror="true" executable="/bin/sh">
           <arg value="-c"/>
           <arg value="./bwrun initdb -ndebug -indexroot lucene"/>
        </exec>
        <!-- tar.gz the initial lucene indexes (there is no way to rebuild lucene indexes in Bedework 3.4) -->
        <tar tarfile="${repackaged.dist.dir}/webapps/lucene.tar" basedir="${repackaged.dist.schema.dir}/dumpres" includes="lucene/**"/>
        <gzip zipfile="${repackaged.dist.dir}/webapps/lucene.tar.gz" src="${repackaged.dist.dir}/webapps/lucene.tar"/>
        <delete file="${repackaged.dist.dir}/webapps/lucene.tar"/>
        <!-- TODO: automate SCP, explode lucene.tar.gz into tomcat/bin/ -->
    </target>

    <target name="build-without-clean-tmp" depends="init, clean, copy-bedework, apply-changes, build-bedework, setup-root-tar-gz, setup-dumpres"/>

    <target name="build" depends="build-without-clean-tmp, clean-tmp"/>

</project>

Here are a few example host-specific configs:

config/dev.mycompany.com/repackaged-bedework.build.properties

# Location of our bedework property files
org.bedework.config.properties=${repackaged.tmp.config.dir}/repackaged-bedework.properties
org.bedework.config.options=${repackaged.tmp.config.dir}/repackaged-bedework.options.xml

config/dev.mycompany.com/repackaged-bedework.options.xml

(this file is same as "myconfig.properties" referred to in the instructions with a different name)

<!-- This provides run time options for each of the configured applications.
  -->
<bedework-options>
  <org>
    <bedework>
      <global>
        <module>
...
(copy this file and modify per Bedework user manual instructions)
...

config/dev.mycompany.com/repackaged-bedework.properties

(this file is same as "myconfig.options.xml" referred to in the instructions with a different name)

#
# --------------------------------------------------------------------
#
# Introduction
#
#
# Properties for all modules are saved below - even if they are not
# being deployed. The globals section defines which modules will be
...
(copy Bedework sample config and modify per Bedework user manual instructions)
...

In this file, you'll want to change the following from the defaults to look like this:

...
org.bedework.app.CalAdmin.tomcat.context.xml=${repackaged.tmp.config.dir}/repackaged-bedework.context.xml
...
org.bedework.app.Events.tomcat.context.xml=${repackaged.tmp.config.dir}/repackaged-bedework.context.xml
...
org.bedework.app.SoEDept.tomcat.context.xml=${repackaged.tmp.config.dir}/repackaged-bedework.context.xml
...
org.bedework.app.UserCal.tomcat.context.xml=${repackaged.tmp.config.dir}/repackaged-bedework.context.xml
...
org.bedework.app.Pubcaldav.tomcat.context.xml=${repackaged.tmp.config.dir}/repackaged-bedework.context.xml
...
org.bedework.app.Usercaldav.tomcat.context.xml=${repackaged.tmp.config.dir}/repackaged-bedework.context.xml
...

config/dev.mycompany.com/repackaged-bedework.context.xml

(this file is same as "\<home\>/bwbuild/prod/context.xml" referred to in the instructions with a different name)

<Context path="@CONTEXT-ROOT@" reloadable="false">
 <Resource name="jdbc/calDB" auth="Container"
           type="javax.sql.DataSource"
           driverClassName="org.hsqldb.jdbcDriver"
           url="jdbc:hsqldb:hsql://localhost:8887"
           username="sa"
           password=""
           maxActive="8"
           maxIdle="4"
           maxWait="-1"
           defaultAutoCommit="false" />

  <!-- Disables restart persistence of sessions -->
  <Manager pathname=""/>
</Context>

This is where each of the web applications will get its DB connection info from, or you can leave the resource out possibly and just set it once in Tomcat's conf/context.xml. (But I didn't try that.)
Note: the config that comes in the quickstart in (tomcat)/conf/Catalina/localhost/.xml contains resource definitions that will override the ones that go into the wars. In most cases you'll probably want to have the DB config in those files, and the one above should not matter as long as you make sure you have a context in (tomcat)/conf/Catalina/localhost/.xml for each webapp (but just in case, I keep both the same just in case there is a webapp context that I'm not overriding in conf/Catalina/localhost/).

Apache Setup

Most of the setup is standard Shibboleth stuff, like getting the ServerName set properly and routing the right requests to Tomcat, and redirecting all traffic to SSL, but there are some tricks:

Make sure requests for /Shibboleth.sso/* don't get passed to Tomcat. If you're putting Bedework at the root, you'll probably be routing everything over, so you'll need to exclude that path with JkUnMount or the equivalent command for your connector.

mod_jk Setup

The commands we're using for mod_jk follow

You need at least mod_jk 1.2.8 to use JkUnMount and probably want to use mod_jk 1.2.10 or higher.

LoadModule jk_module    modules/mod_jk.so

JkWorkersFile   /etc/httpd/conf/workers.properties
JkLogFile       /var/log/httpd/mod_jk.log
JkLogLevel      info

JkMount /* ajp13_worker

JkUnMount /Shibboleth.sso/* ajp13_worker
JkUnMount /shibboleth ajp13_worker
JkUnMount /shibboleth-sp/* ajp13_worker

ProxyPass Setup

from Michael Gettes

The following apache config was used to get Bedework integrated with Shibboleth 2.0. Change the host/port to match yours. "ShibRequireSession On" changes depending on whether you allow anonymous access in-general (like in Confluence shibbolization for example).

Alias /ucalrsrc /home/nmi/bedework/apache-tomcat-5.5.17/webapps/ROOT/ucalrsrc
Alias /bedework-common /home/nmi/bedework/apache-tomcat-5.5.17/webapps/ROOT/bedework-common
Alias /calrsrc.MainCampus /home/nmi/bedework/apache-tomcat-5.5.17/webapps/ROOT/calrsrc.MainCampus
Alias /caladminrsrc /home/nmi/bedework/apache-tomcat-5.5.17/webapps/ROOT/caladminrsrc

<Directory /home/nmi/bedework/apache-tomcat-5.5.17/webapps/ROOT/>
        Allow from all
        Options Indexes FollowSymLinks
</Directory>

<Location /cal>
</Location>
ProxyPass /cal ajp://localhost:8080/cal/
ProxyPass /cal/* ajp://localhost:8080/cal/

<Location /caladmin>
        AuthType shibboleth
        require shibboleth
        ShibRequireSession On
        require valid-user
</Location>
ProxyPass /caladmin ajp://localhost:8080/caladmin/
ProxyPass /caladmin/* ajp://localhost:8080/caladmin/

<Location /ucal>
        AuthType shibboleth
        require shibboleth
        ShibRequireSession On
        require valid-user
</Location>
ProxyPass /ucal ajp://localhost:8080/ucal/
ProxyPass /ucal/* ajp://localhost:8080/ucal/

Host/Virtual Host Setup

Here is a sample, assuming that you might want to host resources from Apache but leave them in the Tomcat ROOT dir:

LogLevel info

 <VirtualHost *:80>
      ServerAdmin  me@test.edu

      # We are serving static content via Apache. Keep the Tomcat HTTP and HTTPS connectors closed
      # in Tomcat closed or it will allow Shibboleth to be bypassed for login if the user hits that
      # port directly, which will inevitably happen, most likely by accident. You can serve this 
      # content wherever you'd like, but it seems better to keep it together with the webapps.
      DocumentRoot /path/to/tomcat/webapps/ROOT/
      
      # If you have an identity file for load balancing
      Alias /lb.html /path/to/static/html/lb.html

      ServerName dev.test.edu

      JkMount /* ajp13
      JkUnMount /Shibboleth.sso/* ajp13
      JkUnMount /lb.html ajp13
      JkUnMount /test/* ajp13

      # Support rewriting
      RewriteEngine On

      # Redirect http://.../ to http://.../cal/
      RewriteCond %{REQUEST_URI} ^/$
      RewriteRule ^.*$ http://dev.test.edu/cal/ [R,L]

      # Redirect shibbed parts to https

      # caladmin should be shibbed but not caladminrsrc
      RewriteCond %{REQUEST_URI} !^/caladminrsrc.*$
      RewriteCond %{REQUEST_URI} ^/caladmin.*$
      RewriteRule ^(.*)$ https://dev.test.edu$1 [R,L]

      # ucal should be shibbed but not ucaldav
      RewriteCond %{REQUEST_URI} !^/ucaldav.*$
      RewriteCond %{REQUEST_URI} ^/ucal.*$
      RewriteRule ^(.*)$ https://dev.test.edu$1 [R,L]
 </VirtualHost>

#Listen 443

NameVirtualHost *:443

<VirtualHost *:443>
      ServerAdmin  me@test.edu
 
      #DocumentRoot /path/to/static/html
      # NOTE: See note above. Some resources (like bedework-common) need to be served from HTTPS
      # when accessed by HTTPS pages, for example the dojo stuff used by caladmin, otherwise you
      # can't specify dates in add event.
      DocumentRoot /path/to/tomcat/webapps/ROOT/
      
      # If you have an identity file for load balancing
      Alias /lb.html /path/to/static/html/lb.html

      ServerName dev.test.edu
      
      # (Logging config)
      # (SSL config stuff goes here)

      JkMount /* ajp13
      JkUnMount /Shibboleth.sso/* ajp13
      JkUnMount /lb.html ajp13

      # Support rewriting
      RewriteEngine On

      # Redirect https://host/ to http://host/cal/ and force HTTP for apps and resources that
      # should be served using HTTP instead of HTTPS. Points of interest:
      # 1) Bedework doesn't support XSL (XSLT) resources via HTTPS (at least in 3.4)
      # 2) If in /cal or other unprotected areas, resources and the app need to both be using the
      #    same security level or you'll get mixed-content messages in IE.
      # 3) bedework-common should be served by HTTP by /cal, and HTTPS by /caladmin. This is the
      #    only exception known currently in Bedework 3.4.
      RewriteRule ^/$ http://dev.test.edu/cal/ [R,L]
      RewriteRule ^/cal$ http://dev.test.edu/cal/ [R,L]
      RewriteRule ^/cal/(.*)$ http://dev.test.edu/cal/$1 [R,L]
      RewriteRule ^/soedept/(.*)$ http://dev.test.edu/soedept/$1 [R,L]
      RewriteRule ^/pubcaldav/(.*)$ http://dev.test.edu/pubcaldav/$1 [R,L]
      RewriteRule ^/ucaldav/(.*)$ http://dev.test.edu/ucaldav/$1 [R,L]
      # Add rules for other HTTP served apps here

      # The following are resources under ROOT that should be redirected
      RewriteRule ^/bedework/(.*)$ http://dev.test.edu/bedework/$1 [R,L]
      # NOTE: bedework-common not redirected because dojo can't handle an HTTPS page accessing js
      # via HTTP or you'll see a javascript error like this in Firebug:
      # uncaught exception: Security Error: Content at https://dev.test.edu/caladmin/event/showModForm.rdo may not load data from http://dev.test.edu/bedework-common/javascript/dojo/src/widget/__package__.js.
      #RewriteRule ^/bedework-common/(.*)$ http://dev.test.edu/bedework-common/$1 [R,L]
      RewriteRule ^/caladminrsrc/(.*)$ http://dev.test.edu/caladminrsrc/$1 [R,L]
      RewriteRule ^/calrsrc.MainCampus/(.*)$ http://dev.test.edu/calrsrc.MainCampus/$1 [R,L]
      RewriteRule ^/calrsrc.SoEDepartmental/(.*)$ http://dev.test.edu/calrsrc.SoEDepartmental/$1 [R,L]
      RewriteRule ^/ucalrsrc/(.*)$ http://dev.test.edu/ucalrsrc/$1 [R,L]
 </VirtualHost>

mod_shib Setup

For mod-shib make sure the following is setup (shib.conf):

# start Bedework

<Location /ucalrsrc>
        Allow from all
        Options Indexes FollowSymLinks
</Location>

<Location /bedework-common>
        Allow from all
        Options Indexes FollowSymLinks
</Location>

<Location /calrsrc.MainCampus>
        Allow from all
        Options Indexes FollowSymLinks
</Location>

<Location /caladminrsrc>
        Allow from all
        Options Indexes FollowSymLinks
</Location>

<Location /cal>
        Allow from all
        Options Indexes FollowSymLinks
</Location>

# unshibbolized (login as caladmin)
#<Location /caladmin>
#        Allow from all
#        Options Indexes FollowSymLinks
#</Location>

# shibbolized
<Location /caladmin>
        AuthType shibboleth
        require shibboleth
        ShibRequireSession On
        require valid-user
        # Scott Cantor said this would ensure REMOTE_USER is set.
        require user ~ .+
</Location>

<Location /ucal>
        AuthType shibboleth
        require shibboleth
        ShibRequireSession On
        require valid-user
</Location>

# end Bedework

Just be aware that after you Shibbolize, you have to temporarily "unshibbolize" (comment out your mod_shib configuration in shib.conf and restart apache and tomcat) when you want to give users administrative rights via /caladmin -> Communications (for example) -> Manage Admin Groups and Manage Admin Roles.

Tomcat Setup

(Assuming you are using Tomcat and Apache+mod_jk)

Setup AJP/JK as normal.

Bedework will respect REMOTE_USER if it is set properly as it would be with AJP and tomcatAuthentication=false. In the AJP Coyote connector configuration part of server.xml, make sure you add tomcatAuthentication="false" or the REMOTE_USER header will not be communicated from Apache mod_jk to the AJP connector. For example:

<Connector port="8009" enableLookups="false" redirectPort="8443" protocol="AJP/1.3"
    tomcatAuthentication="false"/>

Comment out or even remove all other connectors! Otherwise you are just asking for it, as someone WILL try to auth via Tomcat (like on port 8080) instead of Shibboleth.
Make sure allRolesMode="authOnly" is in the UserDatabaseRealm.

<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
             resourceName="UserDatabase"
             allRolesMode="authOnly" />

You don't have to run the quickstart for Bedework in production. Read the user manual's section on deployment, but here are the basics:
- All of the wars should be put into Tomcat's webapps dir
- Either the "ROOT" directory should be copied over into webapps (see section on hosting resources via Tomcat) or the ROOT directory should copied over into webapps with the exception of resources directories which can be hosted by a separate webserver (see section on hosting resources via webserver)
- Tomcat conf/ is configured correctly. A super-easy way to get started is to copy everything under the quickstart's apache-tomcat.../conf/ is copied to a your Tomcat conf/ and then make the modifications described above. Unfortunately only the quickstart has these config files (they aren't in Bedework-3.4's subversion repo at least.) You should also refer to Bedework user manual for how to setup Tomcat, but just refer back to this document for the few modifications.

Shibboleth SP Setup

Mostly standard stuff for any SP, like setting hostnames, getting a WAYF strategy in place, etc.

Shibboleth IdP Setup

Make sure that you've established that the IdP (authN server) has the same SSL cert that you are using associated with the providerId that is defined on the SP side (in shibboleth.xml of the Shibboleth running on the same node as Bedework).
In theory, nothing other than the attribute exposed by the IdP to be used as the users' usernames will need to be exposed (in many cases it is the EPPN which is exposed by default).

Troubleshooting

Try it first without making any changes to the quickstart other than those mentioned above.
You can't just copy the wars into webapps. Bedework needs the resources in either the ROOT directory under webapps, or hosted somewhere else.
appRoots must be changed (see above).
Make sure all ports are open that you are accessing.
By default Bedework 3.4 expects that all resource directories are browseable like: bwconfigrsrc, caladminrsrc, calrsrc.MainCampus, calrsrc.SoEDepartmental, and ucalrsrc. See the Bedework user manual for more information on this.
Read the Bedework user manual's section on deployment carefully.
Get on the http://www.bedework.org/mailman/listinfo/bedework-users or http://www.bedework.org/mailman/listinfo/bedework-dev mailing lists and post something to it.
Add a bug to their tracking system, if it is available.
Sometimes (maybe when the Shib session times out?) instead of it kicking into Shibboleth when I hit the /caladmin site, it goes to the "regular" (non-shibboleth) login page (that is all grey). Even though you can remove "login-config" section of all Bedework's web.xmls in each webapp, that will just mean you get an error instead (which is probably better than allowing someone to login via Tomcat instead of Shibboleth!)

Browser not supported