Hi, there. I have a problem whereby tomcat is getting confused with user
sessions due to (I think) some mod_rewrite rules that switch a user in and out
of SSL. The general requirement I have is to only use SSL in certain parts of
our application (login, user administration, etc), and we use mod_rewrite rules
to enforce this. The problem is that while we can correctly make sure a user
login is properly redirected to SSL, when that user clicks on a link following
login (ie: a non-SSL request), they are sent back to the login page. This is
due, I think, to tomcat confusedly thinking the subsequent request comes from a
new, unauthenticated user, possibly because the second request is not over SSL.
When I run an HTTP tracer, I indeed see that there is a new session cookie
placed for the subsequent request.
Below is the relevant portion of our httpd.conf file, followed by the
workes.properties file. I've followed the recommendations I've seen online
regarding connector configuration, but perhaps there is something subtle that
is missing, or our rewrite rules are screwed up. Any insight is appreciated.
thanks.
-d.
httpd.conf (irrelevant sections omitted):
# Load mod_jk
#
LoadModule jk_module libexec/mod_jk.so
# Configure mod_jk
#
JkWorkersFile "conf/workers.properties"
JkLogFile "logs/mod_jk.log"
JkLogLevel info
JkShmFile "logs/jk.shm"
JkShmSize 10M
# Map mod_ssl vars to JK vars so that tomcat can reference SSL info.
JkExtractSSL On
JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
JkHTTPSIndicator HTTPS
JkSESSIONIndicator SSL_SESSION_ID
JkCIPHERIndicator SSL_CIPHER
JkCERTSIndicator SSL_CLIENT_CERT
JkMount /tech/* tech_1
JkMount /tech tech_1
<VirtualHost _default_:80>
RewriteEngine on
RewriteLog "/usr/local/apache/logs/rewrite.log"
RewriteLogLevel 1
RewriteCond %{SERVER_PORT} 80
#redirect requests for index.html to login page
RewriteCond %{REQUEST_URI} /index.html
RewriteRule ^/(.*) https://tech-dev.classroom.com/tech/home.do
#redirect requests for login page
RewriteCond %{REQUEST_URI} /tech/home.do
RewriteRule ^/(.*) https://tech-dev.classroom.com/tech/home.do
# redirect requests for the trial page
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} /tech/trial.do
RewriteRule ^/(.*) https://tech-dev.classroom.com/$1
# redirect requests for the profile
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} /tech/.*profile.*
RewriteRule ^/(.*) https://tech-dev.classroom.com/$1
# redirect requests for activation
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} /tech/activation.*
RewriteRule ^/(.*) https://tech-dev.classroom.com/$1
# redirect requests for admin
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} /tech/admin/.*
RewriteRule ^/(.*) https://tech-dev.classroom.com/$1
# redirect requests for michigan state
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} /michigan
RewriteRule ^/(.*) https://tech-dev.classroom.com/tech/home.do
# redirect requests for CSR Tool
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} /subscription*
RewriteRule ^/(.*) http://SERVER_CSR/subscription
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} /studentwork/.*
RewriteRule ^/(.*) http://forumtecprd.classroom.com/$1
</VirtualHost>
##################
## SSL Settings ##
##################
<IfDefine SSL>
Listen 443
</IfDefine>
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
#
# Some MIME-types for downloading Certificates and CRLs
#
<IfDefine SSL>
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
</IfDefine>
<IfModule mod_ssl.c>
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog builtin
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
SSLSessionCache dbm:/usr/local/apache/logs/ssl_scache
SSLSessionCacheTimeout 300
# Semaphore:
# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
SSLMutex file:/usr/local/apache/logs/ssl_mutex
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the
# SSL library. The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
# Logging:
# The home of the dedicated SSL protocol logfile. Errors are
# additionally duplicated in the general error log file. Put
# this somewhere where it cannot be used for symlink attacks on
# a real server (i.e. somewhere where only root can write).
# Log levels are (ascending order: higher ones include lower ones):
# none, error, warn, info, trace, debug.
SSLLog /usr/local/apache/logs/ssl_engine_log
SSLLogLevel error
# This is a fix for bug 4867, where the security certificate issuer
appears to be invalid
# in IE5 on the mac, and all versions of Netscape on windows. We also had
to install root
# certificates on the server in the location specified below
SSLCACertificateFile /usr/local/apache/conf/ssl.crt/intermediate.crt
</IfModule>
#####################
## END SSL OPTIONS ##
#####################
<IfDefine SSL>
##
## SSL Virtual Host Context
##
<VirtualHost _default_:443>
#################
## SSL OPTIONS ##
#################
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLOptions +StdEnvVars +ExportCertData
SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key
RewriteEngine on
RewriteLog "/usr/local/apache/logs/rewrite.log
RewriteLogLevel 1
RewriteCond %{SERVER_PORT} 443
# Don't redirect requests coming from the login page, activation, or
profile
RewriteCond %{HTTP_REFERER} !.*/tech/trial.do
RewriteCond %{HTTP_REFERER} !.*/tech/home.do
RewriteCond %{HTTP_REFERER} !.*/tech/j_security_check
RewriteCond %{HTTP_REFERER} !.*/tech/.*profile.*
RewriteCond %{HTTP_REFERER} !.*/tech/activation.*
RewriteCond %{HTTP_REFERER} !.*/tech/group/.*
RewriteCond %{HTTP_REFERER} !.*/tech/admin/.*
RewriteCond %{HTTP_REFERER} !.*/tech/lost.*
RewriteCond %{HTTP_REFERER} !.*/tech/secure.*
# Don't redirect image requests - IE bug with 304 errors. Bugbase ID
4811
RewriteCond %{REQUEST_URI} !/tech_root/.*
# Don't redirect requests for the login page, login form, activation,
or profile/
RewriteCond %{REQUEST_URI} !/tech/trial.do
RewriteCond %{REQUEST_URI} !/tech/home.do
RewriteCond %{REQUEST_URI} !/tech/j_security_check
RewriteCond %{REQUEST_URI} !/tech/.*profile.*
RewriteCond %{REQUEST_URI} !/tech/activation.*
RewriteCond %{REQUEST_URI} !/tech/group/.*
RewriteCond %{REQUEST_URI} !/tech/admin/.*
RewriteCond %{REQUEST_URI} !/tech/lost.*
RewriteCond %{REQUEST_URI} !/tech/secure.*
RewriteRule ^/(.*) http://tech-dev.classroom.com/$1
</VirtualHost>
</IfDefine>
workers.properties:
worker.list=tech_1
worker.tech_1.port=8009
worker.tech_1.host=localhost
worker.tech_1.type=ajp13
worker.tech_1.cachesize=10
worker.tech_1.cache_timeout=600
worker.tech_1.socket_timeout=300