I have a Spring Boot application running currently under Tomcat 8.5 that has a shibboleth-based SSO integrated. Shibboleth and tomcat are connected using apache2 mod_shib and mod_jk, using default Debian 9 packages.
I am now trying to upgrade the application's environment to Debian 10 (and thus tomcat 9), and most things work with minor configuration changes, except the Shibboleth-based authentication.
If calling on /login/shibboleth
(which is configured in apache to authenticate using shibboleth, and then login inside the application using the provided shibboleth shared variables), the shibboleth SAML2 authentication protocol is correctly done (and the shibboleth session can be queried after in apache), but the handler method for /login/shibboleth
is not called (I checked this using remote debugging), but is refused by tomcat itself:
HTTP Status 403 – Forbidden
Type Status Report
Description The server understood the request but refuses to authorize it.
Apache Tomcat/9.0.31 (Debian)
I have tried to look into this problem, and one possible solution seemed to be using a secret in the AJP connector. Defining one (in tomcat9's server.xml) does not seem to change any behaviour (also, mod_jk does not seem to have a corresponding option, so I wonder how any function works when a secret is configured).
Does anyone have ideas about:
- What may cause this problem.
- What the possible solutions are.
The AJP connector stopped allowing just any ol' request attribute to pass through in recent versions of Tomcat. The attributes that are passed through by default are described here: https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html#Standard_Implementations
You can test if this is causing your 403 error by temporarily allowing all attributes within your AJP connector definition (likely found in server.xml).
If that works, you can limit the allowed attributes to the ones you actually need. It will vary by implementation, but this worked for me:
allowedRequestAttributesPattern="^(Shib-.*|eppn)$”
If your issue is truly with the AJP secret, note that Apache's mod_proxy_ajp didn't support secrets until recently. You'll find it documented in recent versions though. See https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html.