You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2020/02/22 07:41:00 UTC

[Bug 53098] mod_proxy_ajp: patch to set worker secret passed to tomcat

https://bz.apache.org/bugzilla/show_bug.cgi?id=53098

Rainer Jung <ra...@kippdata.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|FIXED                       |---

--- Comment #19 from Rainer Jung <ra...@kippdata.de> ---
It would be useful to backport this eature to 2.4.x.
The newest Tomcat releases hardened the AJP connector by demanding a "secret"
by default, so they are no longer compatibel with mod_proxy_ajp out-of-the-box.
One has to explicitly set secretRequired="false" on the TC AJP connector to be
able to use it with mod_proxy_ajp (and thereby increase attack surface).

r1738878 plus small struct layout adjustments for compatibility should do it.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org