Hi Bryson,
Yes, in forwarding from Apache to Tomcat, I setup an Apache VHost as
follows (this is just the HTTPS one..I have an HTTP VHost which just
redirects to HTTPS)
<VirtualHost *:443>
ServerName mydspaceurl.org
# As long as Shibboleth module is installed
#Enable all Shibboleth related settings
<IfModule mod_shib>
# Copy all Shibb settings here from Docs..
# And enable this line at the end..
ProxyPass /Shibboleth.sso !
</IfModule>
## Proxy / Forwarding Settings ##
<Proxy *>
AddDefaultCharset Off
Order deny,allow
Allow from all
</Proxy>
# Pass all requests to Tomcat's AJP Connector
# (In this case, Tomcat's AJP port is 8009)
ProxyPass / ajp://localhost:8009/
## You'll also need SSL Cert Settings for HTTPS
SSLEngine on
SSLCertificateChainFile path/to/file
SSLCertificateFile path/to/file
SSLCertificateKeyFile path/to/file
</VirtualHost>
THEN, in Tomcat, ensure it has an AJP port setup in server.xml...e.g.
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" />
Those settings (plus those in the docs) should ensure that Apache will
redirect ALL requests to Tomcat EXCEPT requests to Shibboleth (which
will be handles in Apache by mod_shib).
Obviously, you also need to ensure both mod_shib and mod_proxy are
installed in your Apache, too.
Hopefully that helps.
- Tim
On 7/9/2014 1:08 PM, Duda, Bryson wrote:
> Thanks for your help so far, Tim!
>
> Do you also use the "ProxyPass / ajp://localhost:8080/" line mentioned in the
> comments as well, then? My understanding was that that line is needed to get
> the request over to Tomcat (where Dspace resides), but I could be mistaken.
>
> Bryson
>
> -----Original Message-----
> From: Tim Donohue [mailto:[email protected]]
> Sent: Wednesday, July 09, 2014 10:10 AM
> To: Duda, Bryson; [email protected]
> Subject: Re: [Dspace-tech] Shibboleth woes
>
> Hi Bryson,
>
> If you are using the "mod_proxy" to forward to Tomcat, you might want to
> ensure you have this setting enabled (which is commented out in the official
> docs example). It ensures Shibboleth requests are not redirected to Tomcat
> accidentally
>
> # Finally, you may need to ensure requests to /Shibboleth.sso are NOT
> redirected # to Tomcat (as they will be handled by mod_shib instead).
> # NOTE: THIS SETTING IS LIKELY ONLY NEEDED IF YOU ARE USING PROXYPASS TO
> REDIRECT # ALL REQUESTS TO TOMCAT (e.g. ProxyPass / ajp://localhost:8080/) #
> ProxyPass /Shibboleth.sso !
>
> (Uncomment that final "ProxyPass /Shibboleth.sso !" line)
>
> Doing that should allow you to remove any custom settings in your
> shibboleth2.xml to attempt to handle this.
>
> I'm not sure if that'll solve all of your issues, but I've managed to get
> Shibboleth working with mod_shib + mod_proxy + Apache + Tomcat using the
> exact settings in the official docs (though I have that last ProxyPass
> uncommented).
>
> - Tim
>
>
> On 7/9/2014 10:51 AM, Duda, Bryson wrote:
>> Hi Tim,
>>
>> Yes, that wiki page is the one I used while doing the configuration. Sorry,
>> I should have clarified that. I also looked at a number of pages on the
>> Shibboleth wiki that seemed relevant, such as this one
>> (https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig),
>> but so far they haven't helped me to solve the problem. No matter what, I
>> always end up being redirected to port 8080 (Tomcat) when I'm sent to the
>> /shibboleth-login page in Dspace.
>>
>> While looking into the problem, I also poked around the Dspace source code
>> and found the line where the port is determined for the login page, but I'm
>> not sure what I need to do to change it to 80 instead of 8080 since it's
>> pulling it from the HttpServletRequest and not the ConfigurationManager.
>> https://github.com/DSpace/DSpace/blob/dspace-4.1/dspace-api/src/main/j
>> ava/org/dspace/authenticate/ShibAuthentication.java#L494
>>
>> Bryson
>>
>> -----Original Message-----
>> From: Tim Donohue [mailto:[email protected]]
>> Sent: Wednesday, July 09, 2014 9:13 AM
>> To: Duda, Bryson; [email protected]
>> Subject: Re: [Dspace-tech] Shibboleth woes
>>
>> Hi Bryson,
>>
>> Just to clarify, have you seen the official 4.x documentation for setting up
>> Shibboleth at:
>>
>> https://wiki.duraspace.org/display/DSDOC4x/Authentication+Plugins#Auth
>> enticationPlugins-ShibbolethAuthentication
>>
>> The official docs go into some detail as to how you can configure
>> Apache
>> + Tomcat + mod_shib. I just wanted to be sure you are looking at the
>> correct place in the Wiki (as you didn't mention which wiki page you
>> were looking at)
>>
>> I'm pretty sure there are also some older, outdated notes others have posted
>> elsewhere on the wiki (most of the wiki is publicly editable...but the
>> "official docs" section is privately maintained & usually more accurate).
>>
>> - Tim
>>
>> On 7/8/2014 5:33 PM, Duda, Bryson wrote:
>>> Hi everyone,
>>>
>>> I've been having some problems getting Shibboleth and Dspace to play
>>> nice together, and I'm hoping that someone can help me see where I'm
>>> going wrong. Our current setup is Dspace 4.1 served by Tomcat 7 (on
>>> port
>>> 8080) with authentication handled through Shibboleth 2.5.2 via Apache
>>> httpd 2.4.6 (on port 80).
>>>
>>> The problem: After authenticating through Shibboleth, users are being
>>> redirected directly to Tomcat, bypassing httpd. This generates an
>>> "Authentication Failed" message since Tomcat isn't involved with the
>>> Shibboleth authentication, only httpd is.
>>>
>>> Background: Everything was set up based on the Shibboleth
>>> Authentication section of the Duraspace wiki, with one additional
>>> change. In the shibboleth2.xml config file, I set a manual handlerURL
>>> inside the Sessions tag. That URL ensures that requests for
>>> /Shibboleth.sso go to httpd instead of Tomcat. I found that if I
>>> didn't set it explicitly, I'd get a "No peer endpoint available"
>>> Shibboleth error instead of being redirected to our institution's Single
>>> Sign On page.
>>>
>>> I don't have a lot of experience with Apache or Shibboleth, so I'm
>>> hoping that a more seasoned veteran can steer me in the right direction.
>>> I wasn't sure what information would be pertinent, so I can certainly
>>> provide more if needed. Thanks in advance!
>>>
>>> Bryson Duda
>>>
>>> Systems Support Specialist
>>>
>>> Information Systems and Technical Services University of Lethbridge
>>> Library
>>>
>>> Phone: 403-332-4462
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> -
>>> -------- Open source business process management suite built on Java
>>> and Eclipse Turn processes into business applications with Bonita BPM
>>> Community Edition Quickly connect people, data, and systems into
>>> organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards
>>> http://p.sf.net/sfu/Bonitasoft
>>>
>>>
>>>
>>> _______________________________________________
>>> DSpace-tech mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/dspace-tech
>>> List Etiquette:
>>> https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
>>>
------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
DSpace-tech mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dspace-tech
List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
