You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2020/02/04 18:45:59 UTC
[tomcat] 05/05: Add security information for the AJP Connector.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 38a0fd9bb287e9e70eb61a5d8ea12cf602fb6398
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue Jan 21 15:18:04 2020 +0000
Add security information for the AJP Connector.
---
webapps/docs/config/ajp.xml | 10 +++++++++-
webapps/docs/security-howto.xml | 8 ++++++++
2 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/webapps/docs/config/ajp.xml b/webapps/docs/config/ajp.xml
index 69348a1..dbecf7a 100644
--- a/webapps/docs/config/ajp.xml
+++ b/webapps/docs/config/ajp.xml
@@ -44,6 +44,13 @@
contained in the web application, and/or utilize Apache's SSL
processing.</p>
+ <p>Use of the AJP protocol requires additional security considerations because
+ it allows greater direct manipulation of Tomcat's internal data structures
+ than the HTTP connectors. Particular attention should be paid to the values
+ used for the <code>address</code>, <code>secret</code>,
+ <code>secretRequired</code> and <code>allowedArbitraryRequestAttributes</code>
+ attributes.</p>
+
<p>This connector supports load balancing when used in conjunction with
the <code>jvmRoute</code> attribute of the
<a href="engine.html">Engine</a>.</p>
@@ -459,7 +466,8 @@
<p>If this attribute is <code>true</code>, the AJP Connector will only
start if the <strong>secret</strong> attribute is configured with a
non-null, non-zero length value. The default value is <code>true</code>.
- </p>
+ This attributue should only be set to <code>false</code> when the
+ Connector is used on a trusted network.</p>
</attribute>
<attribute name="tcpNoDelay" required="false">
diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml
index 4d5726d..dfc03cc 100644
--- a/webapps/docs/security-howto.xml
+++ b/webapps/docs/security-howto.xml
@@ -249,6 +249,14 @@
<p>By default, a non-TLS, HTTP/1.1 connector is configured on port 8080.
Connectors that will not be used should be removed from server.xml.</p>
+ <p>AJP Connectors should only be used on trusted networks or be
+ appropriately secured with a suitable <code>secret</code> attribute.</p>
+
+ <p>AJP Connectors block forwarded requests with unknown request
+ attributes. Known safe and/or expected attributes may be allowed by
+ configuration an appropriate regular expression for the
+ <code>allowedArbitraryRequestAttributes</code> attribute.</p>
+
<p>The <strong>address</strong> attribute may be used to control which IP
address a connector listens on for connections. By default, a connector
listens on all configured IP addresses.</p>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org