Thanks so much, Tim, I was able to get it working! I was using port 8080 as the AJP port in the VHost instead of 8009. Once I changed the setting, it worked without any problems. The comment near the bottom of the sample virtual host settings on the wiki threw me off (it mentions port 8080), but I should have realized that I needed to change that to the AJP port for Tomcat.
Thank you again for all your help. I'm very happy to have this problem sorted out :-). Bryson -----Original Message----- From: Tim Donohue [mailto:[email protected]] Sent: Wednesday, July 09, 2014 12:33 PM To: Duda, Bryson; [email protected] Subject: Re: [Dspace-tech] Shibboleth woes Hi Bryson, Yes, in forwarding from Apache to Tomcat, I setup an Apache VHost as follows (this is just the HTTPS one..I have an HTTP VHost which just redirects to HTTPS) <VirtualHost *:443> ServerName mydspaceurl.org # As long as Shibboleth module is installed #Enable all Shibboleth related settings <IfModule mod_shib> # Copy all Shibb settings here from Docs.. # And enable this line at the end.. ProxyPass /Shibboleth.sso ! </IfModule> ## Proxy / Forwarding Settings ## <Proxy *> AddDefaultCharset Off Order deny,allow Allow from all </Proxy> # Pass all requests to Tomcat's AJP Connector # (In this case, Tomcat's AJP port is 8009) ProxyPass / ajp://localhost:8009/ ## You'll also need SSL Cert Settings for HTTPS SSLEngine on SSLCertificateChainFile path/to/file SSLCertificateFile path/to/file SSLCertificateKeyFile path/to/file </VirtualHost> THEN, in Tomcat, ensure it has an AJP port setup in server.xml...e.g. <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector port="8009" protocol="AJP/1.3" /> Those settings (plus those in the docs) should ensure that Apache will redirect ALL requests to Tomcat EXCEPT requests to Shibboleth (which will be handles in Apache by mod_shib). Obviously, you also need to ensure both mod_shib and mod_proxy are installed in your Apache, too. Hopefully that helps. - Tim On 7/9/2014 1:08 PM, Duda, Bryson wrote: > Thanks for your help so far, Tim! > > Do you also use the "ProxyPass / ajp://localhost:8080/" line mentioned in the > comments as well, then? My understanding was that that line is needed to get > the request over to Tomcat (where Dspace resides), but I could be mistaken. > > Bryson > > -----Original Message----- > From: Tim Donohue [mailto:[email protected]] > Sent: Wednesday, July 09, 2014 10:10 AM > To: Duda, Bryson; [email protected] > Subject: Re: [Dspace-tech] Shibboleth woes > > Hi Bryson, > > If you are using the "mod_proxy" to forward to Tomcat, you might want > to ensure you have this setting enabled (which is commented out in the > official docs example). It ensures Shibboleth requests are not > redirected to Tomcat accidentally > > # Finally, you may need to ensure requests to /Shibboleth.sso are NOT > redirected # to Tomcat (as they will be handled by mod_shib instead). > # NOTE: THIS SETTING IS LIKELY ONLY NEEDED IF YOU ARE USING PROXYPASS TO > REDIRECT # ALL REQUESTS TO TOMCAT (e.g. ProxyPass / ajp://localhost:8080/) # > ProxyPass /Shibboleth.sso ! > > (Uncomment that final "ProxyPass /Shibboleth.sso !" line) > > Doing that should allow you to remove any custom settings in your > shibboleth2.xml to attempt to handle this. > > I'm not sure if that'll solve all of your issues, but I've managed to get > Shibboleth working with mod_shib + mod_proxy + Apache + Tomcat using the > exact settings in the official docs (though I have that last ProxyPass > uncommented). > > - Tim > > > On 7/9/2014 10:51 AM, Duda, Bryson wrote: >> Hi Tim, >> >> Yes, that wiki page is the one I used while doing the configuration. Sorry, >> I should have clarified that. I also looked at a number of pages on the >> Shibboleth wiki that seemed relevant, such as this one >> (https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig), >> but so far they haven't helped me to solve the problem. No matter what, I >> always end up being redirected to port 8080 (Tomcat) when I'm sent to the >> /shibboleth-login page in Dspace. >> >> While looking into the problem, I also poked around the Dspace source code >> and found the line where the port is determined for the login page, but I'm >> not sure what I need to do to change it to 80 instead of 8080 since it's >> pulling it from the HttpServletRequest and not the ConfigurationManager. >> https://github.com/DSpace/DSpace/blob/dspace-4.1/dspace-api/src/main/ >> j >> ava/org/dspace/authenticate/ShibAuthentication.java#L494 >> >> Bryson >> >> -----Original Message----- >> From: Tim Donohue [mailto:[email protected]] >> Sent: Wednesday, July 09, 2014 9:13 AM >> To: Duda, Bryson; [email protected] >> Subject: Re: [Dspace-tech] Shibboleth woes >> >> Hi Bryson, >> >> Just to clarify, have you seen the official 4.x documentation for setting up >> Shibboleth at: >> >> https://wiki.duraspace.org/display/DSDOC4x/Authentication+Plugins#Aut >> h enticationPlugins-ShibbolethAuthentication >> >> The official docs go into some detail as to how you can configure >> Apache >> + Tomcat + mod_shib. I just wanted to be sure you are looking at the >> correct place in the Wiki (as you didn't mention which wiki page you >> were looking at) >> >> I'm pretty sure there are also some older, outdated notes others have posted >> elsewhere on the wiki (most of the wiki is publicly editable...but the >> "official docs" section is privately maintained & usually more accurate). >> >> - Tim >> >> On 7/8/2014 5:33 PM, Duda, Bryson wrote: >>> Hi everyone, >>> >>> I've been having some problems getting Shibboleth and Dspace to play >>> nice together, and I'm hoping that someone can help me see where I'm >>> going wrong. Our current setup is Dspace 4.1 served by Tomcat 7 (on >>> port >>> 8080) with authentication handled through Shibboleth 2.5.2 via >>> Apache httpd 2.4.6 (on port 80). >>> >>> The problem: After authenticating through Shibboleth, users are >>> being redirected directly to Tomcat, bypassing httpd. This generates >>> an "Authentication Failed" message since Tomcat isn't involved with >>> the Shibboleth authentication, only httpd is. >>> >>> Background: Everything was set up based on the Shibboleth >>> Authentication section of the Duraspace wiki, with one additional >>> change. In the shibboleth2.xml config file, I set a manual >>> handlerURL inside the Sessions tag. That URL ensures that requests >>> for /Shibboleth.sso go to httpd instead of Tomcat. I found that if I >>> didn't set it explicitly, I'd get a "No peer endpoint available" >>> Shibboleth error instead of being redirected to our institution's Single >>> Sign On page. >>> >>> I don't have a lot of experience with Apache or Shibboleth, so I'm >>> hoping that a more seasoned veteran can steer me in the right direction. >>> I wasn't sure what information would be pertinent, so I can >>> certainly provide more if needed. Thanks in advance! >>> >>> Bryson Duda >>> >>> Systems Support Specialist >>> >>> Information Systems and Technical Services University of Lethbridge >>> Library >>> >>> Phone: 403-332-4462 >>> >>> >>> >>> -------------------------------------------------------------------- >>> - >>> - >>> -------- Open source business process management suite built on Java >>> and Eclipse Turn processes into business applications with Bonita >>> BPM Community Edition Quickly connect people, data, and systems into >>> organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards >>> http://p.sf.net/sfu/Bonitasoft >>> >>> >>> >>> _______________________________________________ >>> DSpace-tech mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/dspace-tech >>> List Etiquette: >>> https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette >>> ------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ DSpace-tech mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
