The Blog
Tomcat secure sessions with AJP and HTTP protocols using Apache proxy balancer
published May 20, 2011
During this week I have been digging into Apache AJP protocol and how it communicates with Tomcat. Especially, I have been interested in knowing how SSL works in different Tomcat connector setups. Once again in hindsight everything is so clear but had many desperate moments during these days :) Anyways, you should first check mod_proxy balancer configurations, and ajp protocol.
Basically, I have tried two different solutions:
1) Apache proxy balancer using HTTP
<Proxy balancer://liferaycluster>
BalancerMember http://node1 route=node1
BalancerMember http://node2 route=node2
ProxySet stickysession=ROUTEID
</Proxy>
2) Apache proxy balancer using AJP
<Proxy balancer://liferaycluster>
BalancerMember ajp://node1 route=node1 ping=3
BalancerMember ajp://node2 route=node2 ping=3
ProxySet stickysession=ROUTEID
</Proxy>
Benefit of using AJP is the “ping” setting which Apache uses to check whether Tomcat is up or down and does more sophisticated load balancing based on that information. However, things become more tricky in Tomcat connector configurations when checking whether JSESSION will end up to be “secure” or “not”. In HTTP connector you can define secureness of your connector like so:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="false" scheme="https" secure="true" proxyPort="443"/>
But if you define connector with AJP protocol:
<Connector port="8443" protocol="AJP/1.3" SSLEnabled="false" scheme="http" secure="false" proxyPort="443"/>
“Secure” setting will not have any effect to JSESSIONID cookie. However, it does have an effect to function call “ServletRequest.isSecure()”. Go figure.
It seems that AJP protocol contains boolean value wheter initial connection to Apache was secure or not and that value is passed to Tomcat which uses that information to create user session cookie.
If you need an AJP setup where JSESSIONID should not be secure even if initial connection was through HTTPS you can do Apache haxing to remove Secure setting from cookie like so:
Header edit "Set-Cookie: JSESSIONID=" Secure " "
This will replace word Secure with empty string from JSESSIONID cookie. This is not the most clever thing to do because now your session is open for hijacking.
No Comments to Tomcat secure sessions with AJP and HTTP protocols using Apache proxy balancer
Subscribe to RSS feed
The Tag Cloud
Agile Business Coaching Coding horror Conference Customer Design of Experiments Future Group dynamics ITIL It should not be that hard Java EE Kanban Leadership Lean Liferay Methodologies Natural UI Performance tuning Process Productivity Quality Retrospective RIA Scrum Six Sigma Social psychology Software Software architecture Testing This is great TOGAF
WP Cumulus Flash tag cloud by Roy Tanck and Luke Morton requires Flash Player 9 or better.
Samuli's Links
The Blog Archive
February 2012 (1)
January 2012 (1)
November 2011 (1)
June 2011 (2)
May 2011 (1)
April 2011 (2)
March 2011 (2)
February 2011 (1)
January 2011 (1)
December 2010 (1)
November 2010 (1)
October 2010 (3)
September 2010 (3)
August 2010 (5)
July 2010 (2)
June 2010 (3)
May 2010 (4)
April 2010 (2)
March 2010 (6)
February 2010 (7)
January 2010 (3)
December 2009 (7)
November 2009 (6)
