I intend to use the user and certificate info in a Filter. I think I have configured everything to do that, but the information does not get passed along. Based on various documentations and howtos, SSLVerifyClient require, SSLOptions +StdEnvVars and SSLOptions +ExportCertData and JkExtractSSL On should be enough to pass certificate data, and Require valid-user should be enough to pass the authenticated username. I see the following debug output (also contains the various info logged by the filter), which clearly lacks the information needed. I have a cgi in the cgi-bin directory, which prints out the environment, and I see both REMOTE_USER and all relevant certificate related information there. debug log: Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.554 2019] [7885:139750518257408] [debug] map_uri_to_worker_ext::jk_uri_worker_map.c (1185): Attempting to map URI '/servlet/servlet' from 1 maps Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.555 2019] [7885:139750518257408] [debug] find_match::jk_uri_worker_map.c (980): Attempting to map context URI '/servlet*=worker1' source 'JkMount' Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.555 2019] [7885:139750518257408] [debug] find_match::jk_uri_worker_map.c (993): Found a wildchar match '/servlet*=worker1' Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.556 2019] [7885:139750518257408] [debug] jk_handler::mod_jk.c (2823): Into handler jakarta-servlet worker=worker1 r->proxyreq=0 Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.556 2019] [7885:139750518257408] [debug] wc_get_worker_for_name::jk_worker.c (120): found a worker worker1 Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.557 2019] [7885:139750518257408] [debug] wc_get_name_for_type::jk_worker.c (304): Found worker type 'ajp13' Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.557 2019] [7885:139750518257408] [debug] init_ws_service::mod_jk.c (1196): Service protocol=HTTP/1.1 method=GET ssl=true host=(null) addr=94.62.142.229 name=repository.kodekonveyor.com port=443 auth=(null) user=(null) laddr=217.61.105.99 raddr=94.62.142.229 uaddr=94.62.142.229 uri=/servlet/servlet Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.558 2019] [7885:139750518257408] [debug] ajp_get_endpoint::jk_ajp_common.c (3356): (worker1) acquired connection pool slot=0 after 0 retries Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.559 2019] [7885:139750518257408] [debug] ajp_marshal_into_msgb::jk_ajp_common.c (684): (worker1) ajp marshaling done Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.559 2019] [7885:139750518257408] [debug] ajp_service::jk_ajp_common.c (2591): processing worker1 with 2 retries Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.560 2019] [7885:139750518257408] [debug] ajp_send_request::jk_ajp_common.c (1722): (worker1) no usable connection found, will create a new one. Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.561 2019] [7885:139750518257408] [debug] jk_open_socket::jk_connect.c (675): socket TCP_NODELAY set to On Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.561 2019] [7885:139750518257408] [debug] jk_open_socket::jk_connect.c (799): trying to connect socket 24 to ::1:8009 Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.565 2019] [7885:139750518257408] [debug] jk_open_socket::jk_connect.c (825): socket 24 [:::51520 -> ::a00:c940:0:0:8009] connected Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.566 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): sending to ajp13 pos=4 len=620 max=8192 Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.566 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0000 12 34 02 68 02 02 00 08 48 54 54 50 2F 31 2E 31 - .4.h....HTTP/1.1 Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.567 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0010 00 00 10 2F 73 65 72 76 6C 65 74 2F 73 65 72 76 - .../servlet/serv Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.567 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0020 6C 65 74 00 00 0D 39 34 2E 36 32 2E 31 34 32 2E - let...94.62.142. Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.567 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0030 32 32 39 00 FF FF 00 1B 72 65 70 6F 73 69 74 6F - 229.....reposito Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.567 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0040 72 79 2E 6B 6F 64 65 6B 6F 6E 76 65 79 6F 72 2E - ry.kodekonveyor. Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.568 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0050 63 6F 6D 00 01 BB 01 00 09 A0 0B 00 1B 72 65 70 - com..........rep Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.568 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0060 6F 73 69 74 6F 72 79 2E 6B 6F 64 65 6B 6F 6E 76 - ository.kodekonv Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.568 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0070 65 79 6F 72 2E 63 6F 6D 00 A0 0E 00 4C 4D 6F 7A - eyor.com....LMoz Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.568 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0080 69 6C 6C 61 2F 35 2E 30 20 28 58 31 31 3B 20 55 - illa/5.0.(X11;.U Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.568 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0090 62 75 6E 74 75 3B 20 4C 69 6E 75 78 20 78 38 36 - buntu;.Linux.x86 Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.568 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 00a0 5F 36 34 3B 20 72 76 3A 36 39 2E 30 29 20 47 65 - _64;.rv:69.0).Ge Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.568 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 00b0 63 6B 6F 2F 32 30 31 30 30 31 30 31 20 46 69 72 - cko/20100101.Fir Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.568 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 00c0 65 66 6F 78 2F 36 39 2E 30 00 A0 01 00 3F 74 65 - efox/69.0....?te Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.568 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 00d0 78 74 2F 68 74 6D 6C 2C 61 70 70 6C 69 63 61 74 - xt/html,applicat Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.568 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 00e0 69 6F 6E 2F 78 68 74 6D 6C 2B 78 6D 6C 2C 61 70 - ion/xhtml+xml,ap Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.568 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 00f0 70 6C 69 63 61 74 69 6F 6E 2F 78 6D 6C 3B 71 3D - plication/xml;q= Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.568 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0100 30 2E 39 2C 2A 2F 2A 3B 71 3D 30 2E 38 00 00 0F - 0.9,*/*;q=0.8... Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.568 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0110 41 63 63 65 70 74 2D 4C 61 6E 67 75 61 67 65 00 - Accept-Language. Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.568 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0120 00 17 68 75 2C 65 6E 2D 55 53 3B 71 3D 30 2E 37 - ..hu,en-US;q=0.7 Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.568 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0130 2C 65 6E 3B 71 3D 30 2E 33 00 00 0F 41 63 63 65 - ,en;q=0.3...Acce Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.568 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0140 70 74 2D 45 6E 63 6F 64 69 6E 67 00 00 11 67 7A - pt-Encoding...gz Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0150 69 70 2C 20 64 65 66 6C 61 74 65 2C 20 62 72 00 - ip,.deflate,.br. Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0160 A0 06 00 0A 6B 65 65 70 2D 61 6C 69 76 65 00 A0 - ....keep-alive.. Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0170 09 00 6A 4A 53 45 53 53 49 4F 4E 49 44 3D 35 46 - ..jJSESSIONID=5F Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0180 43 44 31 35 39 34 45 42 35 42 32 41 44 38 39 30 - CD1594EB5B2AD890 Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0190 37 44 37 32 42 46 31 39 44 39 39 31 31 30 3B 20 - 7D72BF19D99110;. Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 01a0 6D 6F 64 5F 61 75 74 68 5F 6F 70 65 6E 69 64 63 - mod_auth_openidc Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 01b0 5F 73 65 73 73 69 6F 6E 3D 30 30 65 35 31 61 66 - _session=00e51af Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 01c0 63 2D 35 39 33 65 2D 34 32 33 37 2D 39 37 35 61 - c-593e-4237-975a Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 01d0 2D 38 35 30 36 63 30 30 66 61 66 38 65 00 00 19 - -8506c00faf8e... Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 01e0 55 70 67 72 61 64 65 2D 49 6E 73 65 63 75 72 65 - Upgrade-Insecure Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 01f0 2D 52 65 71 75 65 73 74 73 00 00 01 31 00 A0 08 - -Requests...1... Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0200 00 01 30 00 0A 00 0F 41 4A 50 5F 52 45 4D 4F 54 - ..0....AJP_REMOT Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0210 45 5F 50 4F 52 54 00 00 05 34 32 38 36 38 00 0A - E_PORT...42868.. Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0220 00 0E 41 4A 50 5F 4C 4F 43 41 4C 5F 41 44 44 52 - ..AJP_LOCAL_ADDR Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0230 00 00 0D 32 31 37 2E 36 31 2E 31 30 35 2E 39 39 - ...217.61.105.99 Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0240 00 0A 00 10 4A 4B 5F 4C 42 5F 41 43 54 49 56 41 - ....JK_LB_ACTIVA Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0250 54 49 4F 4E 00 00 03 41 43 54 00 0A 00 05 48 45 - TION...ACT....HE Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0260 4C 4C 4F 00 00 04 53 7A 69 61 00 FF 00 00 00 00 - LLO...Szia...... Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.575 2019] [7885:139750518257408] [debug] ajp_send_request::jk_ajp_common.c (1782): (worker1) request body to send 0 - request body to resend 0 05-Oct-2019 19:46:13.580 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log header host:repository.kodekonveyor.com 05-Oct-2019 19:46:13.585 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log header user-agent:Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0 05-Oct-2019 19:46:13.585 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log header accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 05-Oct-2019 19:46:13.586 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log header Accept-Language:hu,en-US;q=0.7,en;q=0.3 05-Oct-2019 19:46:13.587 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log header Accept-Encoding:gzip, deflate, br 05-Oct-2019 19:46:13.593 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log header connection:keep-alive 05-Oct-2019 19:46:13.594 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log header cookie:JSESSIONID=5FCD1594EB5B2AD8907D72BF19D99110; mod_auth_openidc_session=00e51afc-593e-4237-975a-8506c00faf8e 05-Oct-2019 19:46:13.594 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log header Upgrade-Insecure-Requests:1 05-Oct-2019 19:46:13.594 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log header content-length:0 05-Oct-2019 19:46:13.615 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log session:org.apache.catalina.session.StandardSessionFacade@71e6f5f 05-Oct-2019 19:46:13.616 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log context attr javax.servlet.context.tempdir=/var/lib/tomcat9/work/Catalina/localhost/servlet 05-Oct-2019 19:46:13.616 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log context attr org.apache.catalina.resources=org.apache.catalina.webresources.StandardRoot@d61f78d 05-Oct-2019 19:46:13.616 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log context attr org.apache.tomcat.InstanceManager=org.apache.catalina.core.DefaultInstanceManager@67361395 05-Oct-2019 19:46:13.617 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log context attr org.apache.catalina.jsp_classpath=/var/lib/tomcat9/lib/:/var/lib/tomcat9/lib/realm-0.0.1-feature_toolchain.c76b4af.jar:/usr/share/tomcat9/lib/:/usr/share/java/tomcat9-coyote-9.0.16.jar:/usr/share/java/tomcat9-jdbc-9.0.16.jar:/usr/share/java/tomcat9-catalina-9.0.16.jar:/usr/share/java/tomcat9-servlet-api-9.0.16.jar:/usr/share/java/tomcat9-catalina-ha-9.0.16.jar:/usr/share/java/tomcat9-websocket-api-9.0.16.jar:/usr/share/java/tomcat9-jsp-api-9.0.16.jar:/usr/share/java/tomcat9-el-api-9.0.16.jar:/usr/share/java/tomcat9-jaspic-api-9.0.16.jar:/usr/share/java/tomcat9-util-scan-9.0.16.jar:/usr/share/java/tomcat9-i18n-fr-9.0.16.jar:/usr/share/java/tomcat9-annotations-api-9.0.16.jar:/usr/share/java/tomcat9-jasper-9.0.16.jar:/usr/share/java/tomcat9-jasper-el-9.0.16.jar:/usr/share/java/tomcat9-i18n-ru-9.0.16.jar:/usr/share/java/tomcat9-api-9.0.16.jar:/usr/share/java/tomcat9-util-9.0.16.jar:/usr/share/java/tomcat9-dbcp-9.0.16.jar:/usr/share/java/tomcat9-storeconfig-9.0.16.jar:/usr/share/java/tomcat9-catalina-ant-9.0.16.jar:/usr/share/java/tomcat9-i18n-es-9.0.16.jar:/usr/share/java/tomcat9-jni-9.0.16.jar:/usr/share/java/tomcat9-tribes-9.0.16.jar:/usr/share/java/tomcat9-websocket-9.0.16.jar:/usr/share/java/tomcat9-i18n-ja-9.0.16.jar:/usr/share/tomcat9/bin/bootstrap.jar:/usr/share/tomcat9/bin/tomcat-juli.jar 05-Oct-2019 19:46:13.617 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log context attr javax.websocket.server.ServerContainer=org.apache.tomcat.websocket.server.WsServerContainer@4c5e5f6a 05-Oct-2019 19:46:13.618 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log context attr org.apache.jasper.compiler.TldCache=org.apache.jasper.compiler.TldCache@69db0ce8 05-Oct-2019 19:46:13.618 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log context attr org.apache.tomcat.JarScanner=org.apache.tomcat.util.scan.StandardJarScanner@6b8453c1 05-Oct-2019 19:46:13.619 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log user:null 05-Oct-2019 19:46:13.619 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log cert:null 05-Oct-2019 19:46:13.619 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log authType:null 05-Oct-2019 19:46:13.619 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log getContextPath:/servlet 05-Oct-2019 19:46:13.620 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log getProtocol:HTTP/1.1 05-Oct-2019 19:46:13.620 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log getRemoteHost:94.62.142.229 05-Oct-2019 19:46:13.620 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log getServerInfo:Apache Tomcat/9.0.16 (Ubuntu) 05-Oct-2019 19:46:13.621 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log getServletContextName:null 05-Oct-2019 19:46:13.621 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log getRemoteHost:/servlet/servlet Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.622 2019] [7885:139750518257408] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1462): received from ajp13 pos=0 len=99 max=8192 Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.622 2019] [7885:139750518257408] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1462): 0000 04 00 C8 00 03 32 30 30 00 00 02 A0 07 00 4C 4A - .....200......LJ Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.622 2019] [7885:139750518257408] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1462): 0010 53 45 53 53 49 4F 4E 49 44 3D 35 43 31 42 39 38 - SESSIONID=5C1B98 Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.622 2019] [7885:139750518257408] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1462): 0020 39 44 33 41 35 33 38 41 45 39 30 33 43 45 32 39 - 9D3A538AE903CE29 Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.622 2019] [7885:139750518257408] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1462): 0030 31 36 43 34 46 43 41 44 44 41 3B 20 50 61 74 68 - 16C4FCADDA;.Path Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.622 2019] [7885:139750518257408] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1462): 0040 3D 2F 73 65 72 76 6C 65 74 3B 20 53 65 63 75 72 - =/servlet;.Secur Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.622 2019] [7885:139750518257408] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1462): 0050 65 3B 20 48 74 74 70 4F 6E 6C 79 00 A0 03 00 02 - e;.HttpOnly..... Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.622 2019] [7885:139750518257408] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1462): 0060 34 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 42.............. Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.622 2019] [7885:139750518257408] [debug] ajp_unmarshal_response::jk_ajp_common.c (739): (worker1) status = 200 Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.622 2019] [7885:139750518257408] [debug] ajp_unmarshal_response::jk_ajp_common.c (746): Number of headers is = 2 Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.622 2019] [7885:139750518257408] [debug] ajp_unmarshal_response::jk_ajp_common.c (802): (worker1) Header[0] [Set-Cookie] = [JSESSIONID=5C1B989D3A538AE903CE2916C4FCADDA; Path=/servlet; Secure; HttpOnly] Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.622 2019] [7885:139750518257408] [debug] ajp_unmarshal_response::jk_ajp_common.c (802): (worker1) Header[1] [Content-Length] = [42] Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.629 2019] [7885:139750518257408] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1462): received from ajp13 pos=0 len=46 max=8192 Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.629 2019] [7885:139750518257408] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1462): 0000 03 00 2A 53 65 72 76 65 64 20 61 74 3A 20 2F 73 - ..*Served.at:./s Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.629 2019] [7885:139750518257408] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1462): 0010 65 72 76 6C 65 74 0A 48 65 6C 6C 6F 2C 20 66 72 - ervlet.Hello,.fr Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.629 2019] [7885:139750518257408] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1462): 0020 6F 6D 20 61 20 53 65 72 76 6C 65 74 21 00 00 00 - om.a.Servlet!... Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.629 2019] [7885:139750518257408] [debug] ws_write::mod_jk.c (552): written 42 out of 42 Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.630 2019] [7885:139750518257408] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1462): received from ajp13 pos=0 len=2 max=8192 Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.630 2019] [7885:139750518257408] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1462): 0000 05 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - ................ Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.630 2019] [7885:139750518257408] [debug] ajp_process_callback::jk_ajp_common.c (2135): (worker1) AJP13 protocol: Reuse is OK Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.630 2019] [7885:139750518257408] [debug] ajp_reset_endpoint::jk_ajp_common.c (851): (worker1) resetting endpoint with socket 24 Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.630 2019] [7885:139750518257408] [debug] ajp_done::jk_ajp_common.c (3287): recycling connection pool for worker worker1 and socket 24 Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.630 2019] [7885:139750518257408] [debug] jk_handler::mod_jk.c (2979): Service finished with status=200 for worker=worker1 Oct 5 19:46:13 s_src@repo apache[7879]: repository.kodekonveyor.com:443 94.62.142.229 - - [05/Oct/2019:19:46:13 +0200] "GET /servlet/servlet HTTP/1.1" 200 3605 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0" Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.735 2019] [7885:139750543435520] [debug] map_uri_to_worker_ext::jk_uri_worker_map.c (1185): Attempting to map URI '/favicon.ico' from 1 maps Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.735 2019] [7885:139750543435520] [debug] find_match::jk_uri_worker_map.c (980): Attempting to map context URI '/servlet*=worker1' source 'JkMount' Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.735 2019] [7885:139750543435520] [debug] jk_translate::mod_jk.c (3977): no match for /favicon.ico found Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.735 2019] [7885:139750543435520] [debug] map_uri_to_worker_ext::jk_uri_worker_map.c (1185): Attempting to map URI '/favicon.ico' from 1 maps Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.735 2019] [7885:139750543435520] [debug] find_match::jk_uri_worker_map.c (980): Attempting to map context URI '/servlet*=worker1' source 'JkMount' Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.735 2019] [7885:139750543435520] [debug] jk_map_to_storage::mod_jk.c (4052): no match for /favicon.ico found Oct 5 19:46:13 s_src@repo apache[7879]: repository.kodekonveyor.com:443 94.62.142.229 - - [05/Oct/2019:19:46:13 +0200] "GET /favicon.ico HTTP/1.1" 302 1699 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0" Oct 5 19:46:16 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:16.046 2019] [7886:139750673094400] [debug] jk_watchdog_func::mod_jk.c (3425): Watchdog thread running Oct 5 19:46:16 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:16.046 2019] [7886:139750673094400] [debug] wc_maintain::jk_worker.c (353): Maintaining worker worker1 Oct 5 19:46:16 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:16.047 2019] [7885:139750673094400] [debug] jk_watchdog_func::mod_jk.c (3425): Watchdog thread running Oct 5 19:46:16 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:16.047 2019] [7885:139750673094400] [debug] wc_maintain::jk_worker.c (353): Maintaining worker worker1 Relevant apache config: JkWorkersFile /etc/libapache2-mod-jk/workers.properties JkLogFile "||/usr/bin/logger -t apache-jk -i -p local5.notice" JkLogLevel debug JkShmFile /var/log/apache2/jk-runtime-status JkWatchdogInterval 60 DocumentRoot /var/www/repo OIDCProviderMetadataURL https://kode-konveyor.eu.auth0.com/.well-known/openid-configuration OIDCClientID <correct client id> OIDCClientSecret '<working client secret>' OIDCScope "openid name email" OIDCRedirectURI https://repository.kodekonveyor.com/auth OIDCCryptoPassphrase <a pass phrase> DBDriver pgsql DBDParams "dbname=users user=repo host=infra.kodekonveyor.com" DBDMin 4 DBDKeep 8 DBDMax 20 DBDExptime 300 #JkMount /manager* worker1 IncludeOptional /etc/repo/apache-directories/*.conf JkEnvVar SSL_CLIENT_S_DN JkEnvVar HELLO "Szia" JkExtractSSL On ScriptAlias /cgi-bin/ /var/www/cgi-bin/ <Directory "/var/www/cgi-bin/"> AuthType openid-connect SSLVerifyClient require SSLOptions +StdEnvVars SSLOptions +ExportCertData Options +ExecCGI AddHandler cgi-script .cgi Require valid-user </Directory> SSLCACertificateFile "/keys/repo/ca.crt" <Location "/servlet*"> JkMount worker1 AuthType openid-connect SSLVerifyClient require SSLOptions +StdEnvVars SSLOptions +ExportCertData #Require valid-user Require dbd-group foobar AuthzDBDQuery "select r.rolename as group from roles r, users u, users_roles map where r.id=map.role and u.id=map.userid and u.auth0id=%s" </Location> <Directory /var/www/repo/auth> DirectoryIndex off RewriteEngine Off AuthType openid-connect AllowOverride None AuthzDBDQuery "select r.rolename as group from roles r, users u, users_roles map where r.id=map.role and u.id=map.userid and u.auth0id=%s" Require dbd-group allrepo Require dbd-group business </Directory> <Directory /var/www/repo> DirectoryIndex off RewriteEngine Off AllowOverride None AuthType openid-connect Require valid-user </Directory> /etc/libapache2-mod-jk/workers.properties: # Define 1 real worker using ajp13 worker.list=worker1 # Set properties for worker (ajp13) worker.worker1.type=ajp13 worker.worker1.host=localhost worker.worker1.port=8009
Changed authentication to basic, in order to make sure that it is not a problem caused by auth_oidc module. The same problem still exists. If I browse the servlet in the /servlet path in a freshly started browser, neither certificate nor username/password is asked. If I browse the cgi, then both certificate and username/password are asked in a freshly started browser. It seems like JkMount makes some other directives moot.
This is a question for the Tomcat users mailing list, but for Bugzilla. Please move this conversation to the users list. Also: https://markmail.org/message/ri3w5w444ynwsatt
How it is not a bug when a piece of software does not work as documented?
The cause is found to be the fact that if you have a JkMount in a Location (or perhaps also a Directory) directive, all other autorization and authorization (or even all other?) directives are ineffective. If you document this fact, and the workaround (have a different LocationMatch directive for the same tree with the other directives), you can call it a feature. But not before, IMHO. An example working configuration for the servlet located at /servlet: <Location "/servlet*"> JkMount worker1 AuthType openid-connect SSLVerifyClient require SSLOptions +StdEnvVars SSLOptions +ExportCertData Require valid-user </Location> <LocationMatch /servlet.*> DirectoryIndex off RewriteEngine Off AuthType openid-connect AllowOverride None LogLevel debug Require valid-user SSLOptions +StdEnvVars SSLOptions +ExportCertData SSLVerifyClient require </LocationMatch>
Upps, tested the nonredundant version, but forget to update it here. <Location "/servlet*"> JkMount worker1 </Location> <LocationMatch /servlet.*> DirectoryIndex off RewriteEngine Off AuthType openid-connect AllowOverride None LogLevel debug Require valid-user SSLOptions +StdEnvVars SSLOptions +ExportCertData SSLVerifyClient require </LocationMatch>
(In reply to Arpad Magosanyi from comment #3) > How it is not a bug when a piece of software does not work as documented? This is not a bug because the software is working as documented. This is not a bug because the root cause configuration error. The short version is that <Location "/servlet*" > doesn't do what you think it does. I'll add the full explanation to the users list thread: https://tomcat.markmail.org/thread/iax6picwsjlhbohd
Well, the fact that other directives are ineffective when we use JkMount in a Location could be the way it is intended to work, but I believe I am not the only one expecting that once I write down a directive I either get a prominent warning, or the directive actually works. This is not the case, hence I consider this as a bug. I propose to update the documentation of the JkMount directive to provide a warning about that. That would have saved some 10 hours of work for me, and most probably will save hundreds of hours for a set of other users. A good return for that 5 minutes of work. And anyway, this will be less effort than always reclose this issue and answer my concerns :) And thank you for your help in the mailing list, and this excellent piece of code!
(In reply to Arpad Magosanyi from comment #7) > Well, the fact that other directives are ineffective when we use JkMount in > a Location could be the way it is intended to work, The above statement is not correct. The presence of JkMount has no impact on how the other directives are processed. > but I believe I am not > the only one expecting that once I write down a directive I either get a > prominent warning, or the directive actually works. This is not the case, > hence I consider this as a bug. Again, there is no bug here. Your expectation for how <Location "/servlet*"> works is incorrect. As per the Location docs, the "*" wildcard does NOT include the "/" character (whereas it does for JkMount). > I propose to update the documentation of the JkMount directive to provide a > warning about that. That would have saved some 10 hours of work for me, and > most probably will save hundreds of hours for a set of other users. A good > return for that 5 minutes of work. What update do you propose to the documentation? Note that the JkMount documentation already includes a warning that using it within a Location block is typically not the correct thing to do (because of the different ways Location and JkMount perform URL mapping). I'm switching this to an enhancement request for the docs. > And anyway, this will be less effort than always reclose this issue and > answer my concerns :) That could easily be read as a threat to make a nuisance of yourself by continually re-opening this issue if you disagree with the resolution. The Tomcat community will not tolerate such behaviour and will disable any Bugzilla account responsible for such behaviour. > And thank you for your help in the mailing list, and this excellent piece of > code! You're welcome for the help but I can't claim the credit for the code. Other community members before me put in the work to create and develop mod_jk.