Hi, there. I have a problem whereby tomcat is getting confused with user sessions due to (I think) some mod_rewrite rules that switch a user in and out of SSL. The general requirement I have is to only use SSL in certain parts of our application (login, user administration, etc), and we use mod_rewrite rules to enforce this. The problem is that while we can correctly make sure a user login is properly redirected to SSL, when that user clicks on a link following login (ie: a non-SSL request), they are sent back to the login page. This is due, I think, to tomcat confusedly thinking the subsequent request comes from a new, unauthenticated user, possibly because the second request is not over SSL. When I run an HTTP tracer, I indeed see that there is a new session cookie placed for the subsequent request.
Below is the relevant portion of our httpd.conf file, followed by the workes.properties file. I've followed the recommendations I've seen online regarding connector configuration, but perhaps there is something subtle that is missing, or our rewrite rules are screwed up. Any insight is appreciated. thanks. -d. httpd.conf (irrelevant sections omitted): # Load mod_jk # LoadModule jk_module libexec/mod_jk.so # Configure mod_jk # JkWorkersFile "conf/workers.properties" JkLogFile "logs/mod_jk.log" JkLogLevel info JkShmFile "logs/jk.shm" JkShmSize 10M # Map mod_ssl vars to JK vars so that tomcat can reference SSL info. JkExtractSSL On JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories JkHTTPSIndicator HTTPS JkSESSIONIndicator SSL_SESSION_ID JkCIPHERIndicator SSL_CIPHER JkCERTSIndicator SSL_CLIENT_CERT JkMount /tech/* tech_1 JkMount /tech tech_1 <VirtualHost _default_:80> RewriteEngine on RewriteLog "/usr/local/apache/logs/rewrite.log" RewriteLogLevel 1 RewriteCond %{SERVER_PORT} 80 #redirect requests for index.html to login page RewriteCond %{REQUEST_URI} /index.html RewriteRule ^/(.*) https://tech-dev.classroom.com/tech/home.do #redirect requests for login page RewriteCond %{REQUEST_URI} /tech/home.do RewriteRule ^/(.*) https://tech-dev.classroom.com/tech/home.do # redirect requests for the trial page RewriteCond %{SERVER_PORT} 80 RewriteCond %{REQUEST_URI} /tech/trial.do RewriteRule ^/(.*) https://tech-dev.classroom.com/$1 # redirect requests for the profile RewriteCond %{SERVER_PORT} 80 RewriteCond %{REQUEST_URI} /tech/.*profile.* RewriteRule ^/(.*) https://tech-dev.classroom.com/$1 # redirect requests for activation RewriteCond %{SERVER_PORT} 80 RewriteCond %{REQUEST_URI} /tech/activation.* RewriteRule ^/(.*) https://tech-dev.classroom.com/$1 # redirect requests for admin RewriteCond %{SERVER_PORT} 80 RewriteCond %{REQUEST_URI} /tech/admin/.* RewriteRule ^/(.*) https://tech-dev.classroom.com/$1 # redirect requests for michigan state RewriteCond %{SERVER_PORT} 80 RewriteCond %{REQUEST_URI} /michigan RewriteRule ^/(.*) https://tech-dev.classroom.com/tech/home.do # redirect requests for CSR Tool RewriteCond %{SERVER_PORT} 80 RewriteCond %{REQUEST_URI} /subscription* RewriteRule ^/(.*) http://SERVER_CSR/subscription RewriteCond %{SERVER_PORT} 80 RewriteCond %{REQUEST_URI} /studentwork/.* RewriteRule ^/(.*) http://forumtecprd.classroom.com/$1 </VirtualHost> ################## ## SSL Settings ## ################## <IfDefine SSL> Listen 443 </IfDefine> ## ## SSL Global Context ## ## All SSL configuration in this context applies both to ## the main server and all SSL-enabled virtual hosts. ## # # Some MIME-types for downloading Certificates and CRLs # <IfDefine SSL> AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl </IfDefine> <IfModule mod_ssl.c> # Pass Phrase Dialog: # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout. SSLPassPhraseDialog builtin # Inter-Process Session Cache: # Configure the SSL Session Cache: First the mechanism # to use and second the expiring timeout (in seconds). SSLSessionCache dbm:/usr/local/apache/logs/ssl_scache SSLSessionCacheTimeout 300 # Semaphore: # Configure the path to the mutual exclusion semaphore the # SSL engine uses internally for inter-process synchronization. SSLMutex file:/usr/local/apache/logs/ssl_mutex # Pseudo Random Number Generator (PRNG): # Configure one or more sources to seed the PRNG of the # SSL library. The seed data should be of good random quality. # WARNING! On some platforms /dev/random blocks if not enough entropy # is available. This means you then cannot use the /dev/random device # because it would lead to very long connection times (as long as # it requires to make more entropy available). But usually those # platforms additionally provide a /dev/urandom device which doesn't # block. So, if available, use this one instead. Read the mod_ssl User # Manual for more details. SSLRandomSeed startup builtin SSLRandomSeed connect builtin # Logging: # The home of the dedicated SSL protocol logfile. Errors are # additionally duplicated in the general error log file. Put # this somewhere where it cannot be used for symlink attacks on # a real server (i.e. somewhere where only root can write). # Log levels are (ascending order: higher ones include lower ones): # none, error, warn, info, trace, debug. SSLLog /usr/local/apache/logs/ssl_engine_log SSLLogLevel error # This is a fix for bug 4867, where the security certificate issuer appears to be invalid # in IE5 on the mac, and all versions of Netscape on windows. We also had to install root # certificates on the server in the location specified below SSLCACertificateFile /usr/local/apache/conf/ssl.crt/intermediate.crt </IfModule> ##################### ## END SSL OPTIONS ## ##################### <IfDefine SSL> ## ## SSL Virtual Host Context ## <VirtualHost _default_:443> ################# ## SSL OPTIONS ## ################# # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLOptions +StdEnvVars +ExportCertData SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key RewriteEngine on RewriteLog "/usr/local/apache/logs/rewrite.log RewriteLogLevel 1 RewriteCond %{SERVER_PORT} 443 # Don't redirect requests coming from the login page, activation, or profile RewriteCond %{HTTP_REFERER} !.*/tech/trial.do RewriteCond %{HTTP_REFERER} !.*/tech/home.do RewriteCond %{HTTP_REFERER} !.*/tech/j_security_check RewriteCond %{HTTP_REFERER} !.*/tech/.*profile.* RewriteCond %{HTTP_REFERER} !.*/tech/activation.* RewriteCond %{HTTP_REFERER} !.*/tech/group/.* RewriteCond %{HTTP_REFERER} !.*/tech/admin/.* RewriteCond %{HTTP_REFERER} !.*/tech/lost.* RewriteCond %{HTTP_REFERER} !.*/tech/secure.* # Don't redirect image requests - IE bug with 304 errors. Bugbase ID 4811 RewriteCond %{REQUEST_URI} !/tech_root/.* # Don't redirect requests for the login page, login form, activation, or profile/ RewriteCond %{REQUEST_URI} !/tech/trial.do RewriteCond %{REQUEST_URI} !/tech/home.do RewriteCond %{REQUEST_URI} !/tech/j_security_check RewriteCond %{REQUEST_URI} !/tech/.*profile.* RewriteCond %{REQUEST_URI} !/tech/activation.* RewriteCond %{REQUEST_URI} !/tech/group/.* RewriteCond %{REQUEST_URI} !/tech/admin/.* RewriteCond %{REQUEST_URI} !/tech/lost.* RewriteCond %{REQUEST_URI} !/tech/secure.* RewriteRule ^/(.*) http://tech-dev.classroom.com/$1 </VirtualHost> </IfDefine> workers.properties: worker.list=tech_1 worker.tech_1.port=8009 worker.tech_1.host=localhost worker.tech_1.type=ajp13 worker.tech_1.cachesize=10 worker.tech_1.cache_timeout=600 worker.tech_1.socket_timeout=300