Tuesday, August 23, 2011

Shibboleth and Liferay Part 3: Connecting Apache to Tomcat

This post is the third part in a series describing how to set up Shibboleth as a Web SSO provider to Liferay. By this point you've installed Shibboleth onto your server and have configured Apache to work with it.

Apache is a web server, not a servlet container. Liferay (Or whatever Java based application you're protecting with Shibboleth) must be run in a servlet container. The problem is that Shibboleth only knows how to interact with Apache. Thus, we need to have Apache deal with Shibboleth but still pass requests along to Tomcat.

In order to handle passing requests back and forth between Apache and Tomcat, you'll need to add a module to Apache that will do this for you. If you do a web search on connectors between Apache and Tomcat you'll see a lot of mod_jk and mod_proxy coming up. Most of it seems to revolve around mod_jk.

You do NOT need to use mod_jk with Tomcat 6 and Apache 2.2. You can, but DON'T. It's much more complex to configure, it may not already be installed in your Linux (meaning you get the fun of doing that yourself) and it's not going to be supported much longer (if it even still is.) Just use mod_proxy_ajp.


Proxy Settings

Now, if your httpd.conf contains a separate file for setting up proxies, it's probably called something like proxy_ajp.conf. If not, create it. Open it up. (Make sure your httpd.conf file includes this one, per the previous blog post.)

At or near the top of the file should be the line

LoadModule proxy_ajp_module modules/mod_proxy_ajp.so

This loads the mod_proxy_ajp.so module into Apache on startup.

Make sure the following lines are in the file:

ProxyRequests Off
ProxyPass / ajp://localhost:8009/
ProxyPassReverse / ajp://localhost:8009/
<Proxy *>
Order Deny,Allow
Allow from All

Now, this will only work if your Liferay is installed as the ROOT application in your Tomcat, as it is in the bundle. If it isn't, you'll need to specify the name of the folder where your Liferay is, for example:

ProxyRequests Off
ProxyPass / ajp://localhost:8009/myliferay/
ProxyPassReverse / ajp://localhost:8009/myliferay/
<Proxy /myliferay/>
Order Deny,Allow
Allow from All

This also works, of course, for whatever web application you're protecting with Shibboleth.

Now you can save and close that file.

To be continued...


  1. Problem solved! This is what i am looking for! Thanks a lottt

  2. You're welcome! Glad to be of help.

  3. Hi, this has been a big help, thanks. For others' info, after these config changes I was getting "Symbol not found: _proxy_module" when starting Apache. The fix for that is to add a LoadModule line to httpd.conf, thus:

    LoadModule proxy_module modules/mod_proxy.so
    # and then your proxy_ajp.conf reference...
    Include /usr/local/zend/apache2/conf/proxy_ajp.conf

    Now all seems fine.