You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2020/02/04 18:45:59 UTC

[tomcat] 05/05: Add security information for the AJP Connector.

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit 38a0fd9bb287e9e70eb61a5d8ea12cf602fb6398
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue Jan 21 15:18:04 2020 +0000

    Add security information for the AJP Connector.
---
 webapps/docs/config/ajp.xml     | 10 +++++++++-
 webapps/docs/security-howto.xml |  8 ++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/webapps/docs/config/ajp.xml b/webapps/docs/config/ajp.xml
index 69348a1..dbecf7a 100644
--- a/webapps/docs/config/ajp.xml
+++ b/webapps/docs/config/ajp.xml
@@ -44,6 +44,13 @@
   contained in the web application, and/or utilize Apache's SSL
   processing.</p>
 
+  <p>Use of the AJP protocol requires additional security considerations because
+  it allows greater direct manipulation of Tomcat's internal data structures
+  than the HTTP connectors. Particular attention should be paid to the values
+  used for the <code>address</code>, <code>secret</code>,
+  <code>secretRequired</code> and <code>allowedArbitraryRequestAttributes</code>
+  attributes.</p>
+
   <p>This connector supports load balancing when used in conjunction with
   the <code>jvmRoute</code> attribute of the
   <a href="engine.html">Engine</a>.</p>
@@ -459,7 +466,8 @@
       <p>If this attribute is <code>true</code>, the AJP Connector will only
       start if the <strong>secret</strong> attribute is configured with a
       non-null, non-zero length value. The default value is <code>true</code>.
-      </p>
+      This attributue should only be set to <code>false</code> when the
+      Connector is used on a trusted network.</p>
     </attribute>
 
     <attribute name="tcpNoDelay" required="false">
diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml
index 4d5726d..dfc03cc 100644
--- a/webapps/docs/security-howto.xml
+++ b/webapps/docs/security-howto.xml
@@ -249,6 +249,14 @@
       <p>By default, a non-TLS, HTTP/1.1 connector is configured on port 8080.
       Connectors that will not be used should be removed from server.xml.</p>
 
+      <p>AJP Connectors should only be used on trusted networks or be
+      appropriately secured with a suitable <code>secret</code> attribute.</p>
+
+      <p>AJP Connectors block forwarded requests with unknown request
+      attributes. Known safe and/or expected attributes may be allowed by
+      configuration an appropriate regular expression for the
+      <code>allowedArbitraryRequestAttributes</code> attribute.</p>
+
       <p>The <strong>address</strong> attribute may be used to control which IP
       address a connector listens on for connections. By default, a connector
       listens on all configured IP addresses.</p>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org