'[users@httpd] Credentials not cached for child calls from parent page where they worked'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-httpd-users
Subject:    [users@httpd] Credentials not cached for child calls from parent page where they worked
From:       "John Adamski (Work Account)" <adamski () graceland ! edu>
Date:       2020-08-10 13:57:32
Message-ID: SN6PR1901MB21754CB656F7CF9B25414919AD440 () SN6PR1901MB2175 ! namprd19 ! prod ! outlook ! com
[Download RAW message or body]

cat SuSE-release
SUSE Linux Enterprise Server 11 (x86_64) VERSION = 11 PATCHLEVEL = 4

Prior Installs:
Openssl 1.0.1 Apache 2.2, perl 520

Current installs: 
OpenSSL 1.1.1g
OpenLdap (slapd) 2.4.47
Server version: Apache/2.4.41 (Unix)
perl 5, version 30, subversion 0 (v5.30.0) built for x86_64-linux-thread-multi

We recently upgraded our open source products on our ERP Linux server and we are \
having a problem with child task that require authentication.

It is a bit hard to describe but going to try.  We have a student portal running on a \
windows 2012r2 server that brings up web pages hosted by the ERP server which is a \
SUSE enterprise server.  Nothing changed on the windows server, we just upgraded the \
open source products used on the ERP server.

Prior to the upgrade a person would go to a page on the student portal and \
authenticate, then click on a tab or link to get information that is on the ERP \
server.  This would cause the ERP apache page to display and somehow the credentials \
would be passed from the windows side to the apache side. Then if the student clicked \
on a link within the apache page it would again pass along the credentials to this \
new child page.

Since the upgrade on the ERP side the initial apache page works and credentials are \
passed. however when the link is click we get a  unauthorized error on the window \
server side and the following on the apache side.  not sure why showing in the \
sslerror_log


[Fri Aug 07 14:25:11.946586 2020] [ssl:info] [pid 2433] [client 10.125.10.154:60012] \
AH01964: Connection to child 0 established (server echo.graceland.edu:443) [Fri Aug \
07 14:25:11.946972 2020] [ssl:debug] [pid 2433] ssl_engine_kernel.c(2351): [client \
10.125.10.154:60012] AH02043: SSL virtual host for servername echo.graceland.edu \
found [Fri Aug 07 14:25:11.947006 2020] [ssl:debug] [pid 2433] \
ssl_engine_kernel.c(2351): [client 10.125.10.154:60012] AH02043: SSL virtual host for \
servername echo.graceland.edu found [Fri Aug 07 14:25:11.947023 2020] [core:debug] \
[pid 2433] protocol.c(2316): [client 10.125.10.154:60012] AH03155: select protocol \
from , choices=h2,http/1.1 for server echo.graceland.edu [Fri Aug 07 14:25:11.960121 \
2020] [socache_shmcb:debug] [pid 2433] mod_socache_shmcb.c(495): AH00831: \
socache_shmcb_store (0x37 -> subcache 23) [Fri Aug 07 14:25:11.960154 2020] \
[socache_shmcb:debug] [pid 2433] mod_socache_shmcb.c(849): AH00847: insert happened \
at idx=0, data=(0:32) [Fri Aug 07 14:25:11.960161 2020] [socache_shmcb:debug] [pid \
2433] mod_socache_shmcb.c(854): AH00848: finished insert, subcache: \
idx_pos/idx_used=0/1, data_pos/data_used=0/219 [Fri Aug 07 14:25:11.960168 2020] \
[socache_shmcb:debug] [pid 2433] mod_socache_shmcb.c(516): AH00834: leaving \
socache_shmcb_store successfully [Fri Aug 07 14:25:11.960181 2020] [ssl:debug] [pid \
2433] ssl_engine_kernel.c(2236): [client 10.125.10.154:60012] AH02041: Protocol: \
TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) [Fri Aug 07 \
14:25:11.961177 2020] [ssl:debug] [pid 2433] ssl_engine_kernel.c(383): [client \
10.125.10.154:60012] AH02034: Initial (No.1) HTTPS request received for child 0 \
(server echo.graceland.edu:443), referer: \
http://argh2.graceland.edu/ics/Portlets/CRM/CXWebLinks/Portlet.CXFacultyAdvisor/CXFacu \
ltyAdvisorPage.aspx?DestURL=https://echo.graceland.edu/cgi-bin/faculty/stuadv/main.cgi
 [Fri Aug 07 14:25:11.961285 2020] [authz_core:debug] [pid 2433] \
mod_authz_core.c(820): [client 10.125.10.154:60012] AH01626: authorization result of \
Require valid-user : denied (no authenticated user yet), referer: \
http://argh2.graceland.edu/ics/Portlets/CRM/CXWebLinks/Portlet.CXFacultyAdvisor/CXFacu \
ltyAdvisorPage.aspx?DestURL=https://echo.graceland.edu/cgi-bin/faculty/stuadv/main.cgi
 [Fri Aug 07 14:25:11.961294 2020] [authz_core:debug] [pid 2433] \
mod_authz_core.c(820): [client 10.125.10.154:60012] AH01626: authorization result of \
<RequireAny>: denied (no authenticated user yet), referer: \
http://argh2.graceland.edu/ics/Portlets/CRM/CXWebLinks/Portlet.CXFacultyAdvisor/CXFacu \
ltyAdvisorPage.aspx?DestURL=https://echo.graceland.edu/cgi-bin/faculty/stuadv/main.cgi
 [Fri Aug 07 14:25:11.961325 2020] [headers:debug] [pid 2433] mod_headers.c(900): \
AH01503: headers: ap_headers_error_filter() [Fri Aug 07 14:25:26.963105 2020] \
[ssl:debug] [pid 2433] ssl_engine_io.c(1106): [client 10.125.10.154:60012] AH02001: \
Connection closed to child 0 with standard shutdown (server echo.graceland.edu:443)


we are not sure what config file and what in that config file needs to change to get \
this working again.

we tried adding coding for cache based on this \
http://httpd.apache.org/docs/current/mod/mod_authn_socache.html


AuthnCacheSOCache dbm

<Directory /opt/apache2/carsi-live/share/cgi-bin/faculty>
AllowOverride None
Options None
AuthType Basic
AuthBasicProvider socache dbm
#AuthBasicProvider dbm
AuthDBDUserPWQuery "SELECT password FROM authn WHERE user = %s"
AuthnCacheProvideFor dbd
AuthName "Faculty Access"
AuthDBMType GDBM
AuthDBMUserFile /opt/apache2/carsi-live/var/authdb/faculty
Require valid-user
</Directory>

we added these lines
AuthnCacheSOCache dbm
AuthDBDUserPWQuery "SELECT password FROM authn WHERE user = %s"
AuthnCacheProvideFor dbd

and change AuthBasicProvider dbm to include socache

that didn't seem to help.

I thought we were using authn_ but the error talks about authz, which I though \
already did the caching of credentials.

Any suggestions????????  

John David Adamski, Sr. Sysadmin/DBA
Graceland University, 1 University Place, Lamoni, IA 50140
adamski@graceland.edu
641-784-5267



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic