63808 – the fact that JkMount makes other directives ineffective is undocumented

Bug 63808 - the fact that JkMount makes other directives ineffective is undocumented

Summary: the fact that JkMount makes other directives ineffective is undocumented

Status:	NEEDINFO

Alias:	None

Product:	Tomcat Connectors
Classification:	Unclassified
Component:	Documentation (show other bugs)
Version:	1.2.43
Hardware:	PC Linux

Importance:	P2 enhancement (vote)
Target Milestone:	---
Assignee:	Tomcat Developers Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-10-05 17:52 UTC by Arpad Magosanyi
Modified:	2022-07-11 19:15 UTC (History)
CC List:	1 user (show)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arpad Magosanyi 2019-10-05 17:52:10 UTC

I intend to use the user and certificate info in a Filter.
I think I have configured everything to do that, but the information does not get passed along. Based on various documentations and howtos, SSLVerifyClient require, SSLOptions +StdEnvVars and SSLOptions +ExportCertData and JkExtractSSL On should be enough to pass certificate data, and Require valid-user should be enough to pass the authenticated username.
I see the following debug output (also contains the various info logged by the filter), which clearly lacks the information needed.
I have a cgi in the cgi-bin directory, which prints out the environment, and I see both REMOTE_USER and all relevant certificate related information there.

debug log:
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.554 2019] [7885:139750518257408] [debug] map_uri_to_worker_ext::jk_uri_worker_map.c (1185): Attempting to map URI '/servlet/servlet' from 1 maps
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.555 2019] [7885:139750518257408] [debug] find_match::jk_uri_worker_map.c (980): Attempting to map context URI '/servlet*=worker1' source 'JkMount'
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.555 2019] [7885:139750518257408] [debug] find_match::jk_uri_worker_map.c (993): Found a wildchar match '/servlet*=worker1'
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.556 2019] [7885:139750518257408] [debug] jk_handler::mod_jk.c (2823): Into handler jakarta-servlet worker=worker1 r->proxyreq=0
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.556 2019] [7885:139750518257408] [debug] wc_get_worker_for_name::jk_worker.c (120): found a worker worker1
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.557 2019] [7885:139750518257408] [debug] wc_get_name_for_type::jk_worker.c (304): Found worker type 'ajp13'
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.557 2019] [7885:139750518257408] [debug] init_ws_service::mod_jk.c (1196): Service protocol=HTTP/1.1 method=GET ssl=true host=(null) addr=94.62.142.229 name=repository.kodekonveyor.com port=443 auth=(null) user=(null) laddr=217.61.105.99 raddr=94.62.142.229 uaddr=94.62.142.229 uri=/servlet/servlet
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.558 2019] [7885:139750518257408] [debug] ajp_get_endpoint::jk_ajp_common.c (3356): (worker1) acquired connection pool slot=0 after 0 retries
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.559 2019] [7885:139750518257408] [debug] ajp_marshal_into_msgb::jk_ajp_common.c (684): (worker1) ajp marshaling done
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.559 2019] [7885:139750518257408] [debug] ajp_service::jk_ajp_common.c (2591): processing worker1 with 2 retries
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.560 2019] [7885:139750518257408] [debug] ajp_send_request::jk_ajp_common.c (1722): (worker1) no usable connection found, will create a new one.
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.561 2019] [7885:139750518257408] [debug] jk_open_socket::jk_connect.c (675): socket TCP_NODELAY set to On
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.561 2019] [7885:139750518257408] [debug] jk_open_socket::jk_connect.c (799): trying to connect socket 24 to ::1:8009
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.565 2019] [7885:139750518257408] [debug] jk_open_socket::jk_connect.c (825): socket 24 [:::51520 -> ::a00:c940:0:0:8009] connected
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.566 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): sending to ajp13 pos=4 len=620 max=8192
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.566 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0000    12 34 02 68 02 02 00 08 48 54 54 50 2F 31 2E 31  - .4.h....HTTP/1.1
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.567 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0010    00 00 10 2F 73 65 72 76 6C 65 74 2F 73 65 72 76  - .../servlet/serv
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.567 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0020    6C 65 74 00 00 0D 39 34 2E 36 32 2E 31 34 32 2E  - let...94.62.142.
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.567 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0030    32 32 39 00 FF FF 00 1B 72 65 70 6F 73 69 74 6F  - 229.....reposito
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.567 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0040    72 79 2E 6B 6F 64 65 6B 6F 6E 76 65 79 6F 72 2E  - ry.kodekonveyor.
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.568 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0050    63 6F 6D 00 01 BB 01 00 09 A0 0B 00 1B 72 65 70  - com..........rep
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.568 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0060    6F 73 69 74 6F 72 79 2E 6B 6F 64 65 6B 6F 6E 76  - ository.kodekonv
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.568 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0070    65 79 6F 72 2E 63 6F 6D 00 A0 0E 00 4C 4D 6F 7A  - eyor.com....LMoz
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.568 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0080    69 6C 6C 61 2F 35 2E 30 20 28 58 31 31 3B 20 55  - illa/5.0.(X11;.U
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.568 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0090    62 75 6E 74 75 3B 20 4C 69 6E 75 78 20 78 38 36  - buntu;.Linux.x86
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.568 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 00a0    5F 36 34 3B 20 72 76 3A 36 39 2E 30 29 20 47 65  - _64;.rv:69.0).Ge
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.568 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 00b0    63 6B 6F 2F 32 30 31 30 30 31 30 31 20 46 69 72  - cko/20100101.Fir
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.568 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 00c0    65 66 6F 78 2F 36 39 2E 30 00 A0 01 00 3F 74 65  - efox/69.0....?te
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.568 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 00d0    78 74 2F 68 74 6D 6C 2C 61 70 70 6C 69 63 61 74  - xt/html,applicat
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.568 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 00e0    69 6F 6E 2F 78 68 74 6D 6C 2B 78 6D 6C 2C 61 70  - ion/xhtml+xml,ap
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.568 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 00f0    70 6C 69 63 61 74 69 6F 6E 2F 78 6D 6C 3B 71 3D  - plication/xml;q=
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.568 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0100    30 2E 39 2C 2A 2F 2A 3B 71 3D 30 2E 38 00 00 0F  - 0.9,*/*;q=0.8...
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.568 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0110    41 63 63 65 70 74 2D 4C 61 6E 67 75 61 67 65 00  - Accept-Language.
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.568 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0120    00 17 68 75 2C 65 6E 2D 55 53 3B 71 3D 30 2E 37  - ..hu,en-US;q=0.7
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.568 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0130    2C 65 6E 3B 71 3D 30 2E 33 00 00 0F 41 63 63 65  - ,en;q=0.3...Acce
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.568 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0140    70 74 2D 45 6E 63 6F 64 69 6E 67 00 00 11 67 7A  - pt-Encoding...gz
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0150    69 70 2C 20 64 65 66 6C 61 74 65 2C 20 62 72 00  - ip,.deflate,.br.
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0160    A0 06 00 0A 6B 65 65 70 2D 61 6C 69 76 65 00 A0  - ....keep-alive..
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0170    09 00 6A 4A 53 45 53 53 49 4F 4E 49 44 3D 35 46  - ..jJSESSIONID=5F
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0180    43 44 31 35 39 34 45 42 35 42 32 41 44 38 39 30  - CD1594EB5B2AD890
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0190    37 44 37 32 42 46 31 39 44 39 39 31 31 30 3B 20  - 7D72BF19D99110;.
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 01a0    6D 6F 64 5F 61 75 74 68 5F 6F 70 65 6E 69 64 63  - mod_auth_openidc
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 01b0    5F 73 65 73 73 69 6F 6E 3D 30 30 65 35 31 61 66  - _session=00e51af
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 01c0    63 2D 35 39 33 65 2D 34 32 33 37 2D 39 37 35 61  - c-593e-4237-975a
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 01d0    2D 38 35 30 36 63 30 30 66 61 66 38 65 00 00 19  - -8506c00faf8e...
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 01e0    55 70 67 72 61 64 65 2D 49 6E 73 65 63 75 72 65  - Upgrade-Insecure
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 01f0    2D 52 65 71 75 65 73 74 73 00 00 01 31 00 A0 08  - -Requests...1...
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0200    00 01 30 00 0A 00 0F 41 4A 50 5F 52 45 4D 4F 54  - ..0....AJP_REMOT
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0210    45 5F 50 4F 52 54 00 00 05 34 32 38 36 38 00 0A  - E_PORT...42868..
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0220    00 0E 41 4A 50 5F 4C 4F 43 41 4C 5F 41 44 44 52  - ..AJP_LOCAL_ADDR
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0230    00 00 0D 32 31 37 2E 36 31 2E 31 30 35 2E 39 39  - ...217.61.105.99
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0240    00 0A 00 10 4A 4B 5F 4C 42 5F 41 43 54 49 56 41  - ....JK_LB_ACTIVA
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0250    54 49 4F 4E 00 00 03 41 43 54 00 0A 00 05 48 45  - TION...ACT....HE
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.571 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 0260    4C 4C 4F 00 00 04 53 7A 69 61 00 FF 00 00 00 00  - LLO...Szia......
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.575 2019] [7885:139750518257408] [debug] ajp_send_request::jk_ajp_common.c (1782): (worker1) request body to send 0 - request body to resend 0
05-Oct-2019 19:46:13.580 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log header host:repository.kodekonveyor.com
05-Oct-2019 19:46:13.585 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log header user-agent:Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0
05-Oct-2019 19:46:13.585 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log header accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
05-Oct-2019 19:46:13.586 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log header Accept-Language:hu,en-US;q=0.7,en;q=0.3
05-Oct-2019 19:46:13.587 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log header Accept-Encoding:gzip, deflate, br
05-Oct-2019 19:46:13.593 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log header connection:keep-alive
05-Oct-2019 19:46:13.594 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log header cookie:JSESSIONID=5FCD1594EB5B2AD8907D72BF19D99110; mod_auth_openidc_session=00e51afc-593e-4237-975a-8506c00faf8e
05-Oct-2019 19:46:13.594 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log header Upgrade-Insecure-Requests:1
05-Oct-2019 19:46:13.594 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log header content-length:0
05-Oct-2019 19:46:13.615 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log session:org.apache.catalina.session.StandardSessionFacade@71e6f5f
05-Oct-2019 19:46:13.616 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log context attr javax.servlet.context.tempdir=/var/lib/tomcat9/work/Catalina/localhost/servlet
05-Oct-2019 19:46:13.616 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log context attr org.apache.catalina.resources=org.apache.catalina.webresources.StandardRoot@d61f78d
05-Oct-2019 19:46:13.616 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log context attr org.apache.tomcat.InstanceManager=org.apache.catalina.core.DefaultInstanceManager@67361395
05-Oct-2019 19:46:13.617 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log context attr org.apache.catalina.jsp_classpath=/var/lib/tomcat9/lib/:/var/lib/tomcat9/lib/realm-0.0.1-feature_toolchain.c76b4af.jar:/usr/share/tomcat9/lib/:/usr/share/java/tomcat9-coyote-9.0.16.jar:/usr/share/java/tomcat9-jdbc-9.0.16.jar:/usr/share/java/tomcat9-catalina-9.0.16.jar:/usr/share/java/tomcat9-servlet-api-9.0.16.jar:/usr/share/java/tomcat9-catalina-ha-9.0.16.jar:/usr/share/java/tomcat9-websocket-api-9.0.16.jar:/usr/share/java/tomcat9-jsp-api-9.0.16.jar:/usr/share/java/tomcat9-el-api-9.0.16.jar:/usr/share/java/tomcat9-jaspic-api-9.0.16.jar:/usr/share/java/tomcat9-util-scan-9.0.16.jar:/usr/share/java/tomcat9-i18n-fr-9.0.16.jar:/usr/share/java/tomcat9-annotations-api-9.0.16.jar:/usr/share/java/tomcat9-jasper-9.0.16.jar:/usr/share/java/tomcat9-jasper-el-9.0.16.jar:/usr/share/java/tomcat9-i18n-ru-9.0.16.jar:/usr/share/java/tomcat9-api-9.0.16.jar:/usr/share/java/tomcat9-util-9.0.16.jar:/usr/share/java/tomcat9-dbcp-9.0.16.jar:/usr/share/java/tomcat9-storeconfig-9.0.16.jar:/usr/share/java/tomcat9-catalina-ant-9.0.16.jar:/usr/share/java/tomcat9-i18n-es-9.0.16.jar:/usr/share/java/tomcat9-jni-9.0.16.jar:/usr/share/java/tomcat9-tribes-9.0.16.jar:/usr/share/java/tomcat9-websocket-9.0.16.jar:/usr/share/java/tomcat9-i18n-ja-9.0.16.jar:/usr/share/tomcat9/bin/bootstrap.jar:/usr/share/tomcat9/bin/tomcat-juli.jar
05-Oct-2019 19:46:13.617 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log context attr javax.websocket.server.ServerContainer=org.apache.tomcat.websocket.server.WsServerContainer@4c5e5f6a
05-Oct-2019 19:46:13.618 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log context attr org.apache.jasper.compiler.TldCache=org.apache.jasper.compiler.TldCache@69db0ce8
05-Oct-2019 19:46:13.618 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log context attr org.apache.tomcat.JarScanner=org.apache.tomcat.util.scan.StandardJarScanner@6b8453c1
05-Oct-2019 19:46:13.619 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log user:null
05-Oct-2019 19:46:13.619 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log cert:null
05-Oct-2019 19:46:13.619 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log authType:null
05-Oct-2019 19:46:13.619 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log getContextPath:/servlet
05-Oct-2019 19:46:13.620 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log getProtocol:HTTP/1.1
05-Oct-2019 19:46:13.620 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log getRemoteHost:94.62.142.229
05-Oct-2019 19:46:13.620 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log getServerInfo:Apache Tomcat/9.0.16 (Ubuntu)
05-Oct-2019 19:46:13.621 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log getServletContextName:null
05-Oct-2019 19:46:13.621 INFO [ajp-nio-8009-exec-8] org.apache.catalina.core.ApplicationContext.log getRemoteHost:/servlet/servlet
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.622 2019] [7885:139750518257408] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1462): received from ajp13 pos=0 len=99 max=8192
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.622 2019] [7885:139750518257408] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1462): 0000    04 00 C8 00 03 32 30 30 00 00 02 A0 07 00 4C 4A  - .....200......LJ
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.622 2019] [7885:139750518257408] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1462): 0010    53 45 53 53 49 4F 4E 49 44 3D 35 43 31 42 39 38  - SESSIONID=5C1B98
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.622 2019] [7885:139750518257408] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1462): 0020    39 44 33 41 35 33 38 41 45 39 30 33 43 45 32 39  - 9D3A538AE903CE29
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.622 2019] [7885:139750518257408] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1462): 0030    31 36 43 34 46 43 41 44 44 41 3B 20 50 61 74 68  - 16C4FCADDA;.Path
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.622 2019] [7885:139750518257408] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1462): 0040    3D 2F 73 65 72 76 6C 65 74 3B 20 53 65 63 75 72  - =/servlet;.Secur
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.622 2019] [7885:139750518257408] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1462): 0050    65 3B 20 48 74 74 70 4F 6E 6C 79 00 A0 03 00 02  - e;.HttpOnly.....
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.622 2019] [7885:139750518257408] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1462): 0060    34 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00  - 42..............
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.622 2019] [7885:139750518257408] [debug] ajp_unmarshal_response::jk_ajp_common.c (739): (worker1) status = 200
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.622 2019] [7885:139750518257408] [debug] ajp_unmarshal_response::jk_ajp_common.c (746): Number of headers is = 2
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.622 2019] [7885:139750518257408] [debug] ajp_unmarshal_response::jk_ajp_common.c (802): (worker1) Header[0] [Set-Cookie] = [JSESSIONID=5C1B989D3A538AE903CE2916C4FCADDA; Path=/servlet; Secure; HttpOnly]
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.622 2019] [7885:139750518257408] [debug] ajp_unmarshal_response::jk_ajp_common.c (802): (worker1) Header[1] [Content-Length] = [42]
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.629 2019] [7885:139750518257408] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1462): received from ajp13 pos=0 len=46 max=8192
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.629 2019] [7885:139750518257408] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1462): 0000    03 00 2A 53 65 72 76 65 64 20 61 74 3A 20 2F 73  - ..*Served.at:./s
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.629 2019] [7885:139750518257408] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1462): 0010    65 72 76 6C 65 74 0A 48 65 6C 6C 6F 2C 20 66 72  - ervlet.Hello,.fr
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.629 2019] [7885:139750518257408] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1462): 0020    6F 6D 20 61 20 53 65 72 76 6C 65 74 21 00 00 00  - om.a.Servlet!...
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.629 2019] [7885:139750518257408] [debug] ws_write::mod_jk.c (552): written 42 out of 42
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.630 2019] [7885:139750518257408] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1462): received from ajp13 pos=0 len=2 max=8192
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.630 2019] [7885:139750518257408] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1462): 0000    05 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00  - ................
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.630 2019] [7885:139750518257408] [debug] ajp_process_callback::jk_ajp_common.c (2135): (worker1) AJP13 protocol: Reuse is OK
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.630 2019] [7885:139750518257408] [debug] ajp_reset_endpoint::jk_ajp_common.c (851): (worker1) resetting endpoint with socket 24
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.630 2019] [7885:139750518257408] [debug] ajp_done::jk_ajp_common.c (3287): recycling connection pool for worker worker1 and socket 24
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.630 2019] [7885:139750518257408] [debug] jk_handler::mod_jk.c (2979): Service finished with status=200 for worker=worker1
Oct  5 19:46:13 s_src@repo apache[7879]: repository.kodekonveyor.com:443 94.62.142.229 - - [05/Oct/2019:19:46:13 +0200] "GET /servlet/servlet HTTP/1.1" 200 3605 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0"
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.735 2019] [7885:139750543435520] [debug] map_uri_to_worker_ext::jk_uri_worker_map.c (1185): Attempting to map URI '/favicon.ico' from 1 maps
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.735 2019] [7885:139750543435520] [debug] find_match::jk_uri_worker_map.c (980): Attempting to map context URI '/servlet*=worker1' source 'JkMount'
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.735 2019] [7885:139750543435520] [debug] jk_translate::mod_jk.c (3977): no match for /favicon.ico found
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.735 2019] [7885:139750543435520] [debug] map_uri_to_worker_ext::jk_uri_worker_map.c (1185): Attempting to map URI '/favicon.ico' from 1 maps
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.735 2019] [7885:139750543435520] [debug] find_match::jk_uri_worker_map.c (980): Attempting to map context URI '/servlet*=worker1' source 'JkMount'
Oct  5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.735 2019] [7885:139750543435520] [debug] jk_map_to_storage::mod_jk.c (4052): no match for /favicon.ico found
Oct  5 19:46:13 s_src@repo apache[7879]: repository.kodekonveyor.com:443 94.62.142.229 - - [05/Oct/2019:19:46:13 +0200] "GET /favicon.ico HTTP/1.1" 302 1699 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0"
Oct  5 19:46:16 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:16.046 2019] [7886:139750673094400] [debug] jk_watchdog_func::mod_jk.c (3425): Watchdog thread running
Oct  5 19:46:16 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:16.046 2019] [7886:139750673094400] [debug] wc_maintain::jk_worker.c (353): Maintaining worker worker1
Oct  5 19:46:16 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:16.047 2019] [7885:139750673094400] [debug] jk_watchdog_func::mod_jk.c (3425): Watchdog thread running
Oct  5 19:46:16 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:16.047 2019] [7885:139750673094400] [debug] wc_maintain::jk_worker.c (353): Maintaining worker worker1



Relevant apache config:

    JkWorkersFile /etc/libapache2-mod-jk/workers.properties

    JkLogFile "||/usr/bin/logger -t apache-jk -i -p local5.notice"

    JkLogLevel debug

    JkShmFile /var/log/apache2/jk-runtime-status

    JkWatchdogInterval 60

DocumentRoot /var/www/repo

OIDCProviderMetadataURL https://kode-konveyor.eu.auth0.com/.well-known/openid-configuration
OIDCClientID <correct client id>
OIDCClientSecret '<working client secret>'

OIDCScope "openid name email"
OIDCRedirectURI https://repository.kodekonveyor.com/auth
OIDCCryptoPassphrase <a pass phrase>

DBDriver pgsql
DBDParams "dbname=users user=repo host=infra.kodekonveyor.com"

DBDMin  4
DBDKeep 8
DBDMax  20
DBDExptime 300

#JkMount /manager* worker1


IncludeOptional /etc/repo/apache-directories/*.conf
JkEnvVar SSL_CLIENT_S_DN
JkEnvVar HELLO "Szia"
JkExtractSSL On

ScriptAlias /cgi-bin/ /var/www/cgi-bin/
<Directory "/var/www/cgi-bin/">
        AuthType openid-connect
        SSLVerifyClient require
        SSLOptions +StdEnvVars
        SSLOptions +ExportCertData
        Options +ExecCGI
        AddHandler cgi-script .cgi
        Require valid-user
</Directory>

SSLCACertificateFile "/keys/repo/ca.crt"
<Location "/servlet*">
        JkMount  worker1
        AuthType openid-connect
        SSLVerifyClient require
        SSLOptions +StdEnvVars
        SSLOptions +ExportCertData
        #Require valid-user
        Require dbd-group foobar
        AuthzDBDQuery "select r.rolename as group from roles r, users u, users_roles map where r.id=map.role and u.id=map.userid and u.auth0id=%s"
</Location>
<Directory /var/www/repo/auth>
        DirectoryIndex off
        RewriteEngine Off
        AuthType openid-connect
        AllowOverride None
        AuthzDBDQuery "select r.rolename as group from roles r, users u, users_roles map where r.id=map.role and u.id=map.userid and u.auth0id=%s"
        Require dbd-group allrepo
        Require dbd-group business
</Directory>
<Directory /var/www/repo>
        DirectoryIndex off
        RewriteEngine Off
        AllowOverride None
        AuthType openid-connect
        Require valid-user
</Directory>


/etc/libapache2-mod-jk/workers.properties:
# Define 1 real worker using ajp13 
worker.list=worker1 
# Set properties for worker (ajp13) 
worker.worker1.type=ajp13 
worker.worker1.host=localhost
worker.worker1.port=8009

Comment 1 Arpad Magosanyi 2019-10-05 18:29:25 UTC

Changed authentication to basic, in order to make sure that it is not a problem caused by auth_oidc module. The same problem still exists.
If I browse the servlet in the /servlet path in a freshly started browser, neither certificate nor username/password is asked.
If I browse the cgi, then both certificate and username/password are asked in a freshly started browser.
It seems like JkMount makes some other directives moot.

Comment 2 Christopher Schultz 2019-10-07 13:42:45 UTC

This is a question for the Tomcat users mailing list, but for Bugzilla. Please move this conversation to the users list. Also: https://markmail.org/message/ri3w5w444ynwsatt

Comment 3 Arpad Magosanyi 2019-10-07 14:39:09 UTC

How it is not a bug when a piece of software does not work as documented?

Comment 4 Arpad Magosanyi 2019-10-08 06:58:06 UTC

The cause is found to be the fact that if you have a JkMount in a Location (or perhaps also a Directory) directive, all other autorization and authorization (or even all other?) directives are ineffective.
If you document this fact, and the workaround (have a different LocationMatch directive for the same tree with the other directives), you can call it a feature.
But not before, IMHO.
An example working configuration for the servlet located at /servlet:

<Location "/servlet*">
        JkMount  worker1
        AuthType openid-connect
        SSLVerifyClient require
        SSLOptions +StdEnvVars
        SSLOptions +ExportCertData
        Require valid-user
</Location>
<LocationMatch /servlet.*>
    DirectoryIndex off
    RewriteEngine Off
    AuthType openid-connect
    AllowOverride None
    LogLevel debug
    Require valid-user
        SSLOptions +StdEnvVars
        SSLOptions +ExportCertData
        SSLVerifyClient require
</LocationMatch>

Comment 5 Arpad Magosanyi 2019-10-08 07:00:29 UTC

Upps, tested the nonredundant version, but forget to update it here.

<Location "/servlet*">
        JkMount  worker1
</Location>
<LocationMatch /servlet.*>
    DirectoryIndex off
    RewriteEngine Off
    AuthType openid-connect
    AllowOverride None
    LogLevel debug
    Require valid-user
        SSLOptions +StdEnvVars
        SSLOptions +ExportCertData
        SSLVerifyClient require
</LocationMatch>

Comment 6 Mark Thomas 2019-10-08 10:20:56 UTC

(In reply to Arpad Magosanyi from comment #3)
> How it is not a bug when a piece of software does not work as documented?

This is not a bug because the software is working as documented.

This is not a bug because the root cause configuration error.

The short version is that <Location "/servlet*" > doesn't do what you think it does. I'll add the full explanation to the users list thread:
https://tomcat.markmail.org/thread/iax6picwsjlhbohd

Comment 7 Arpad Magosanyi 2019-10-08 11:24:04 UTC

Well, the fact that other directives are ineffective when we use JkMount in a Location could be the way it is intended to work, but I believe I am not the only one expecting that once I write down a directive I either get a prominent warning, or the directive actually works. This is not the case, hence I consider this as a bug.

I propose to update the documentation of the JkMount directive to provide a warning about that. That would have saved some 10 hours of work for me, and most probably will save hundreds of hours for a set of other users. A good return for that 5 minutes of work.

And anyway, this will be less effort than always reclose this issue and answer my concerns :)

And thank you for your help in the mailing list, and this excellent piece of code!

Comment 8 Mark Thomas 2019-10-08 11:51:37 UTC

(In reply to Arpad Magosanyi from comment #7)
> Well, the fact that other directives are ineffective when we use JkMount in
> a Location could be the way it is intended to work,

The above statement is not correct. The presence of JkMount has no impact on how the other directives are processed.

> but I believe I am not
> the only one expecting that once I write down a directive I either get a
> prominent warning, or the directive actually works. This is not the case,
> hence I consider this as a bug.

Again, there is no bug here. Your expectation for how <Location "/servlet*"> works is incorrect. As per the Location docs, the "*" wildcard does NOT include the "/" character (whereas it does for JkMount).

> I propose to update the documentation of the JkMount directive to provide a
> warning about that. That would have saved some 10 hours of work for me, and
> most probably will save hundreds of hours for a set of other users. A good
> return for that 5 minutes of work.

What update do you propose to the documentation? Note that the JkMount documentation already includes a warning that using it within a Location block is typically not the correct thing to do (because of the different ways Location and JkMount perform URL mapping).

I'm switching this to an enhancement request for the docs.

> And anyway, this will be less effort than always reclose this issue and
> answer my concerns :)

That could easily be read as a threat to make a nuisance of yourself by continually re-opening this issue if you disagree with the resolution. The Tomcat community will not tolerate such behaviour and will disable any Bugzilla account responsible for such behaviour.

> And thank you for your help in the mailing list, and this excellent piece of
> code!

You're welcome for the help but I can't claim the credit for the code. Other community members before me put in the work to create and develop mod_jk.