Page tree

The Shibboleth 2.x software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP30 and SP3 wiki spaces for current documentation on the supported versions.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

Install Shibboleth to protect Java Servlets

The Shibboleth SP is presently only implemented in C++ as a module for Apache, IIS, and NSAPI. However, it's quite easy to use the Shibboleth SP to provide authentication information for Java servlets in a wide variety of servlet containers.

In the setup described here, requests from browsers are intercepted first by Apache. The Shibboleth SP then checks these requests to enforce authentication requirements. After an assertion is received and a Shibboleth session is established, the SP or Apache can enforce access control rules, or it can just pass attributes to the application. The request is then forwarded to the servlet through the use of the AJP13 protocol. Subsequent requests can leverage the Shibboleth session or a session maintained by the application or servlet container to persist the login.

1. Setup Apache with Shibboleth

Install Apache first. It's by far the easiest if version 2.2 is used, because version 2.2 includes mod_proxy_ajp in the main distribution. If you're using an older version, you'll need to install mod_jk and set that up independently.

Next, install Shibboleth itself. This is a platform-dependent decision, so go back to the main installation page and select the right one. After you complete the installation process, please return here and continue with step 2.

2. Setup AJP13 support in your servlet container

This step depends on your servlet container.

  • Tomcat: Tomcat has an AJP 1.3 listener enabled by default.
  • Jetty: Jetty's documentation has good instructions on how to enable both Jetty and your application to listen on AJP 1.3.

Be careful that there is no direct HTTP listener opened by the servlet container. If, for example, there's an HTTP connector listening on port 8080 and no interceding firewall, users would be able to directly access the servlet on port 8080, which bypasses Apache. This also means they would bypass Shibboleth authentication and authorization.

3. Configure Apache to route requests to your servlet

Add a line to your Apache configuration, such as in httpd.conf, to map requests on the proper virtual hosts to your application through AJP 1.3.

ProxyPass /my-application ajp://localhost:8009/my-application

4. Add Shibboleth protection for your servlet

Add a line to your Apache configuration on the proper virtual host, such as in httpd.conf, to trigger Shibboleth session initiation and authentication for your application. The use of ShibUseHeaders On is important because environment variables are not passed by mod_proxy_ajp unless they have AJP_ prefixes. The variables will be named HTTP_NAME, where the NAME is the name in attribute-map.xml.

<Location /my-application>
  AuthType shibboleth
  ShibRequireSession On
  ShibUseHeaders On
  require valid-user

You can then decide to enforce access control rules using shibboleth2.xml or htaccess or just use the attributes supplied in your application.

  • No labels