Kerberos SSO fails because AJP Connector packetSize in tomcat-embed is not adjustable

[JJinMaine]

Hello,

We have configured Apache HTTPD server with auth_kerb and mod_proxy_ajp with the intention of doing SSO with Kerberos and getting signed in to hpfind automatically. All seems to work well until Apache sends tomcat-embed its very large auth header and then it all falls a part. First we get this:

[Mon Aug 21 16:01:10 2017] [info] [client 10.4.90.77] Request header exceeds LimitRequestFieldSize: Authorization
[Mon Aug 21 16:01:10 2017] [error] [client 10.4.90.77] request failed: error reading the headers

Google tells me that I need to set this in my httpd.conf:

LimitRequestFieldSize 65536
ProxyIOBufferSize 65536

I do that, my debug looks better but still fails with a 400 error:

[Tue Aug 22 10:31:50 2017] [debug] ajp_header.c(224): Into ajp_marshal_into_msgb
[Tue Aug 22 10:31:50 2017] [debug] ajp_header.c(290): ajp_marshal_into_msgb: Header[0] [Accept] = [text/html, application/xhtml+xml, /]
[Tue Aug 22 10:31:50 2017] [debug] ajp_header.c(290): ajp_marshal_into_msgb: Header[1] [Accept-Language] = [en-US]
[Tue Aug 22 10:31:50 2017] [debug] ajp_header.c(290): ajp_marshal_into_msgb: Header[2] [User-Agent] = [Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko]
[Tue Aug 22 10:31:50 2017] [debug] ajp_header.c(290): ajp_marshal_into_msgb: Header[3] [Accept-Encoding] = [gzip, deflate]
[Tue Aug 22 10:31:50 2017] [debug] ajp_header.c(290): ajp_marshal_into_msgb: Header[4] [Host] = [myserver]
[Tue Aug 22 10:31:50 2017] [debug] ajp_header.c(290): ajp_marshal_into_msgb: Header[5] [Connection] = [Keep-Alive]
[Tue Aug 22 10:31:50 2017] [debug] ajp_header.c(290): ajp_marshal_into_msgb: Header[6] [Authorization] = [Negotiate [YIIcPQYGKw ... 4KqrZwr] (yuge packet - 8K+ bytes)
[Tue Aug 22 10:31:50 2017] [debug] ajp_header.c(290): ajp_marshal_into_msgb: Header[7] [Cookie] = [_ga=GA1.2.1840260218.15032XXXXX; JSESSIONID=BB80986D9D1F8ED68XXXXXXXXXXXX 2AE]
[Tue Aug 22 10:31:50 2017] [debug] ajp_header.c(290): ajp_marshal_into_msgb: Header[8] [X-Forwarded-User] = [JIM]
[Tue Aug 22 10:31:50 2017] [debug] ajp_header.c(450): ajp_marshal_into_msgb: Done
[Tue Aug 22 10:31:50 2017] [debug] mod_proxy_ajp.c(269): proxy: APR_BUCKET_IS_EOS
[Tue Aug 22 10:31:50 2017] [debug] mod_proxy_ajp.c(274): proxy: data to read (max 65530 at 4)
[Tue Aug 22 10:31:50 2017] [debug] mod_proxy_ajp.c(289): proxy: got 0 bytes of data
[Tue Aug 22 10:31:50 2017] [debug] ajp_header.c(687): ajp_read_header: ajp_ilink_received 04
[Tue Aug 22 10:31:50 2017] [debug] ajp_header.c(697): ajp_parse_type: got 04
[Tue Aug 22 10:31:50 2017] [debug] ajp_header.c(516): ajp_unmarshal_response: status = 400
[Tue Aug 22 10:31:50 2017] [debug] ajp_header.c(537): ajp_unmarshal_response: Number of headers is = 0
[Tue Aug 22 10:31:50 2017] [debug] ajp_header.c(687): ajp_read_header: ajp_ilink_received 05
[Tue Aug 22 10:31:50 2017] [debug] ajp_header.c(697): ajp_parse_type: got 05
[Tue Aug 22 10:31:50 2017] [debug] mod_proxy_ajp.c(616): proxy: got response from 10.10.190.220:8009 (myserver)
[Tue Aug 22 10:31:50 2017] [debug] proxy_util.c(2120): proxy: AJP: has released connection for (myserver)

And on tomcat-embed I see this:

2017-08-22 10:31:50.457 ERROR 27853 --- [nio-8009-exec-3] org.apache.coyote.ajp.AjpMessage : Invalid message received with signature 514

Google tells me this:

"This may also happen when buffer sizes are not same at both ends: logs mention invalid AJP message and browser receive 400 error code."

And you should resolve it by adding packetSize to your Tomcat AJP stanza like this:

<Connector protocol="AJP/1.3" port="8009" connectionTimeout="20000" packetSize="65536" proxyName="yourproxy.domain.ltd" proxyPort="80" />

I've spent a lot of time looking through the code and I don't see any support for packetSize. I contacted the Tomcat mailing list and they told me that the Spring Boot app developer needs to add support to their embed code to make any type of tomcat-embed property change like that effective.

So that's why I'm opening this issue, I would like to be able to adjust packetSize in the AJP Connector so that tomcat-embed can accept a larger than 8K packet that contains a lot of info including Kerberos related auth data.

Or perhaps I missed some vital code somewhere and it is supported? Does anyone have the correct syntax or know how I would set this without a lot of effort on behalf of a developer?

Here are the hpfind startup options I'm using in case someone is curious:

-Dserver.reverseProxy=true -Dflyway.enabled=false -Dhp.find.home=/app/find -Dserver.ajp.port=8009

Thanks!

Jim

[tung-jin-chew-hp]

If I understand your problem and your proposed solution correctly; I think you can modify
com.hp.autonomy.frontend.find.core.beanconfiguration.TomcatConfig#createAjpConnector
to add your packetSize attribute there, e.g.

private Connector createAjpConnector() {
        final Connector connector = new Connector("AJP/1.3");
        connector.setPort(ajpPort);
        connector.setAttribute("tomcatAuthentication", false);
        connector.setAttribute("packetSize", 65536);
        return connector;
    }

Thanks,
Jin

[JJinMaine]

Hi Jin, Yes, this could be exactly what is needed. I’m also now looking at com.hp.autonomy.frontend.find.core.beanconfiguration.TomcatConfig myself and thinking that the other options like max-post-size and make-cache-kb lay out a roadmap for adding packetSize as a command line property if we wanted to go that route. Thank you! I’ll update this issue once we’ve made some changes and done more testing. Cheers! - Jim