You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Matthias Fechner <id...@fechner.net> on 2020/03/04 07:19:53 UTC
Problem with tomcat connector in IIS using tomcat 9.0.31
Dear all,
as tomcat version 9.0.31 has some security fixes included I tried to do
an upgrade.
On the IIS tomcat connector version 1.2.46 is installed.
As secret I use a 32 character long alpha numeric string, I name it here
token.
In the workers.properties I tried to define it on the load balancer
line:
worker.loadbalancer.secret=token
And/or on each node:
worker.node1.secret=token
...
worker.node2.secret=token
For the tomcat configuration I defined in server.xml the following AJP
connector:
<Connector protocol="AJP/1.3"
address="::"
port="8009"
tomcatAuthentication="false"
enableLookups="false"
secret="token"
redirectPort="8443" />
But it does not work. It seems that tomcat does not answer here.
If I downgrade to tomcat 9.0.29 it works without any problems.
I started then wireshark and had a look into the traffic coming from the
IIS.
From IIS is see a AJP13 connection with the following content in "Apache
JServ Protocol v1.3" part in wireshark:
...
Sec-Fetch-User: ?1
token
INTERNAL\user
Negotiate
...
as the token is here included the secret configuration is maybe correct.
The token is here equal to the token define on IIS-tomcat-connector and
the tomcat server.xml AJP definition.
Tomcat is sending back a "0:RSP:SEND HEADERS:403 403"
The IIS is doing authentication is is then just sending the user to
tomcat.
Regarding the documentation everything seems to be configured correctly,
but it does not work.
Could anyone help me here, please?
--
Thanks a lot
Matthias
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Problem with tomcat connector in IIS using tomcat 9.0.31
Posted by "André Warnier (tomcat/perl)" <aw...@ice-sa.com>.
On 04.03.2020 09:30, Stephen Hames wrote:
> Hi Matthias,
>
> I suspect your issue is: address="::" You probably want
> address="0.0.0.0" or the ipv4 IP address that your tomcat instance is
> listening on. :: allows any on IPv6, but for IPv4 I suspect that tomcat
> would still be listening only on 127.0.0.1
But then, the error at the IIS level would be "connection refused", no ?
Not a tomcat response with a 403 status, as seems to happen below.
Or am I the confused one ?
>
> Regards,
> Stephen
>
>
> On Wed, 4 Mar 2020 at 15:20, Matthias Fechner <id...@fechner.net> wrote:
>
>> Dear all,
>>
>> as tomcat version 9.0.31 has some security fixes included I tried to do
>> an upgrade.
>> On the IIS tomcat connector version 1.2.46 is installed.
>>
>> As secret I use a 32 character long alpha numeric string, I name it here
>> token.
>> In the workers.properties I tried to define it on the load balancer
>> line:
>> worker.loadbalancer.secret=token
>>
>> And/or on each node:
>> worker.node1.secret=token
>> ...
>> worker.node2.secret=token
>>
>> For the tomcat configuration I defined in server.xml the following AJP
>> connector:
>> <Connector protocol="AJP/1.3"
>> address="::"
>> port="8009"
>> tomcatAuthentication="false"
>> enableLookups="false"
>> secret="token"
>> redirectPort="8443" />
>>
>> But it does not work. It seems that tomcat does not answer here.
>> If I downgrade to tomcat 9.0.29 it works without any problems.
>>
>> I started then wireshark and had a look into the traffic coming from the
>> IIS.
>> From IIS is see a AJP13 connection with the following content in "Apache
>> JServ Protocol v1.3" part in wireshark:
>> ...
>> Sec-Fetch-User: ?1
>> token
>> INTERNAL\user
>> Negotiate
>> ...
>>
>> as the token is here included the secret configuration is maybe correct.
>> The token is here equal to the token define on IIS-tomcat-connector and
>> the tomcat server.xml AJP definition.
>> Tomcat is sending back a "0:RSP:SEND HEADERS:403 403"
>>
>> The IIS is doing authentication is is then just sending the user to
>> tomcat.
>>
>> Regarding the documentation everything seems to be configured correctly,
>> but it does not work.
>> Could anyone help me here, please?
>>
>> --
>> Thanks a lot
>> Matthias
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Problem with tomcat connector in IIS using tomcat 9.0.31
Posted by Martin Grigorov <mg...@apache.org>.
On Wed, Mar 4, 2020 at 10:30 AM Stephen Hames
<st...@cloudpay.net.invalid> wrote:
> Hi Matthias,
>
> I suspect your issue is: address="::" You probably want
> address="0.0.0.0" or the ipv4 IP address that your tomcat instance is
> listening on. :: allows any on IPv6, but for IPv4 I suspect that tomcat
> would still be listening only on 127.0.0.1
>
Some users reported that by using 127.0.0.1 there were some latency issues.
Using ::1 resolved these issues for them.
But this issue sounds to me like some problem in the network stack, not in
Tomcat.
>
> Regards,
> Stephen
>
>
> On Wed, 4 Mar 2020 at 15:20, Matthias Fechner <id...@fechner.net> wrote:
>
> > Dear all,
> >
> > as tomcat version 9.0.31 has some security fixes included I tried to do
> > an upgrade.
> > On the IIS tomcat connector version 1.2.46 is installed.
> >
> > As secret I use a 32 character long alpha numeric string, I name it here
> > token.
> > In the workers.properties I tried to define it on the load balancer
> > line:
> > worker.loadbalancer.secret=token
> >
> > And/or on each node:
> > worker.node1.secret=token
> > ...
> > worker.node2.secret=token
> >
> > For the tomcat configuration I defined in server.xml the following AJP
> > connector:
> > <Connector protocol="AJP/1.3"
> > address="::"
> > port="8009"
> > tomcatAuthentication="false"
> > enableLookups="false"
> > secret="token"
> > redirectPort="8443" />
> >
> > But it does not work. It seems that tomcat does not answer here.
> > If I downgrade to tomcat 9.0.29 it works without any problems.
> >
> > I started then wireshark and had a look into the traffic coming from the
> > IIS.
> > From IIS is see a AJP13 connection with the following content in "Apache
> > JServ Protocol v1.3" part in wireshark:
> > ...
> > Sec-Fetch-User: ?1
> > token
> > INTERNAL\user
> > Negotiate
> > ...
> >
> > as the token is here included the secret configuration is maybe correct.
> > The token is here equal to the token define on IIS-tomcat-connector and
> > the tomcat server.xml AJP definition.
> > Tomcat is sending back a "0:RSP:SEND HEADERS:403 403"
> >
> > The IIS is doing authentication is is then just sending the user to
> > tomcat.
> >
> > Regarding the documentation everything seems to be configured correctly,
> > but it does not work.
> > Could anyone help me here, please?
> >
> > --
> > Thanks a lot
> > Matthias
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
>
> --
> _________________________________________________
> Stephen Hames, Systems Architect & Release Manager
> Singapore | +65 6403 5900
> CloudPay <https://www.cloudpay.net/>
> --
> _________________________________________________
> Stephen Hames, Systems Architect & Release Manager
> Singapore | +65 6403 5900
> CloudPay <https://www.cloudpay.net/>
>
> --
>
>
> This message may
> contain confidential and privileged information. If it
> has been sent to you in
> error, please reply to advise the sender of the
> error and then immediately
> delete this message.
>
Re: Problem with tomcat connector in IIS using tomcat 9.0.31
Posted by Stephen Hames <st...@cloudpay.net.INVALID>.
Hi Matthias,
I suspect your issue is: address="::" You probably want
address="0.0.0.0" or the ipv4 IP address that your tomcat instance is
listening on. :: allows any on IPv6, but for IPv4 I suspect that tomcat
would still be listening only on 127.0.0.1
Regards,
Stephen
On Wed, 4 Mar 2020 at 15:20, Matthias Fechner <id...@fechner.net> wrote:
> Dear all,
>
> as tomcat version 9.0.31 has some security fixes included I tried to do
> an upgrade.
> On the IIS tomcat connector version 1.2.46 is installed.
>
> As secret I use a 32 character long alpha numeric string, I name it here
> token.
> In the workers.properties I tried to define it on the load balancer
> line:
> worker.loadbalancer.secret=token
>
> And/or on each node:
> worker.node1.secret=token
> ...
> worker.node2.secret=token
>
> For the tomcat configuration I defined in server.xml the following AJP
> connector:
> <Connector protocol="AJP/1.3"
> address="::"
> port="8009"
> tomcatAuthentication="false"
> enableLookups="false"
> secret="token"
> redirectPort="8443" />
>
> But it does not work. It seems that tomcat does not answer here.
> If I downgrade to tomcat 9.0.29 it works without any problems.
>
> I started then wireshark and had a look into the traffic coming from the
> IIS.
> From IIS is see a AJP13 connection with the following content in "Apache
> JServ Protocol v1.3" part in wireshark:
> ...
> Sec-Fetch-User: ?1
> token
> INTERNAL\user
> Negotiate
> ...
>
> as the token is here included the secret configuration is maybe correct.
> The token is here equal to the token define on IIS-tomcat-connector and
> the tomcat server.xml AJP definition.
> Tomcat is sending back a "0:RSP:SEND HEADERS:403 403"
>
> The IIS is doing authentication is is then just sending the user to
> tomcat.
>
> Regarding the documentation everything seems to be configured correctly,
> but it does not work.
> Could anyone help me here, please?
>
> --
> Thanks a lot
> Matthias
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
_________________________________________________
Stephen Hames, Systems Architect & Release Manager
Singapore | +65 6403 5900
CloudPay <https://www.cloudpay.net/>
--
_________________________________________________
Stephen Hames, Systems Architect & Release Manager
Singapore | +65 6403 5900
CloudPay <https://www.cloudpay.net/>
--
This message may
contain confidential and privileged information. If it
has been sent to you in
error, please reply to advise the sender of the
error and then immediately
delete this message.
Re: Problem with tomcat connector in IIS using tomcat 9.0.31
Posted by Matthias Fechner <id...@fechner.net>.
Thanks Christopher,
Am 12.03.2020 um 16:11 schrieb Christopher Schultz:
> The complete new default pattern is:
>
>
> (javax\.servlet\.request\.(cipher_suite|key_size|ssl_session|X509Certifi
> cate)|CERT_(ISSUER|SUBJECT|COOKIE|FLAGS|SERIALNUMBER)|HTTPS_(SERVER_SUBJ
> ECT|SECRETKEYSIZE|SERVER_ISSUER|KEYSIZE))
I tested it with the new pattern successfully.
Gruß
Matthias
--
"Programming today is a race between software engineers striving to
build bigger and better idiot-proof programs, and the universe trying to
produce bigger and better idiots. So far, the universe is winning." --
Rich Cook
Re: Problem with tomcat connector in IIS using tomcat 9.0.31
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Matthias,
On 3/12/20 07:19, Matthias Fechner wrote:
> Hi Christopher,
>
> Am 09.03.2020 um 22:50 schrieb Christopher Schultz:
>> That's not a super-secure solution. You really should specify a
>> correct whitelist pattern instead of "accept all".
>
> thanks for your comment. You are fully right, but as this seem to
> will be fixed with the next tomcat version, I see it only as a
> temporary work-around.
>
> After the new version is released the configuration option can be
> completely removed again.
Fair enough. In the meantime, if you didn't trust your AJP connection
before, you (again) cannot trust it until you upgrade. And even then,
maybe not. You really need to lock it down; I highly recommend
mutually-authenticated TLS using e.g. stunnel.
> I'm not sure if it is worth to find the correct options you have
> to allow, as tomcat does not log any reason why the connection was
> refused.
The complete new default pattern is:
(javax\.servlet\.request\.(cipher_suite|key_size|ssl_session|X509Certifi
cate)|CERT_(ISSUER|SUBJECT|COOKIE|FLAGS|SERIALNUMBER)|HTTPS_(SERVER_SUBJ
ECT|SECRETKEYSIZE|SERVER_ISSUER|KEYSIZE))
The pattern above has no newlines in it; you may have to trim those
from your mail reader in order to produce the correct pattern.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5qUSkACgkQHPApP6U8
pFgTvg//fYB7WwXUdHBBqiBMhgT1hioTgflhd4mp06znz2s46ufpQvbKm30UQbKx
4D8/bA/6ouKh9LnlhzoybPyYelxHx5RXO5tV0n6d+VDfFyA2MIdFiRleoj8SPJyn
HxmeYZQqCceVWmIDzPxXpqQ2Xh4+oLbKtwqn8lZWdJdCzpE5v5VgQmEWGtYMsCYV
wWZmhhZiZzdNnulgBh+G3VMa+GiXnAZZ1xaaAcCUut2Fw7Dk9dkkSl59srgc0bM8
Y2nFHso55c1tnLdRkVTAORGyNjTE1UnKovPNEcH4yONiokaAir+i5OhzzaJNXLcI
UehPdQ4lPySE1V0ZwJnorCqeLMUhmc1hf64e9+PxhhYdKZpoAh1v0KNG995+hCpm
osy2sXbmanUu1RbgzvUipzBMxHBd75Q6ehlaqyImnGt6RL7DAeeEvL2bjUTPiVkj
DuYZartMwBk+AIYzO2WlLng7VubziF9rpDCEIT7nb8hmFW5Tg/pHVjs9G1F7/pOG
sBb1pKxIfsdjGAKNR2DFsWwWwQJnH468OLiZ0PKK6Plvq8LWK4l/uJhpeJCuHkVd
uiI9THx3ZvS6hd5UXi+jpIS7d3nFCpfq1+6AFfBdESwKibVPHn2VibGLzPnKe6pV
PkGn+DqFqgUWoan6vRPVenuHY6BwuDWHx62aeDgYEyIwoJXKyM8=
=n70c
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Problem with tomcat connector in IIS using tomcat 9.0.31
Posted by Matthias Fechner <id...@fechner.net>.
Hi Christopher,
Am 09.03.2020 um 22:50 schrieb Christopher Schultz:
> That's not a super-secure solution. You really should specify a
> correct whitelist pattern instead of "accept all".
thanks for your comment.
You are fully right, but as this seem to will be fixed with the next
tomcat version, I see it only as a temporary work-around.
After the new version is released the configuration option can be
completely removed again.
I'm not sure if it is worth to find the correct options you have to
allow, as tomcat does not log any reason why the connection was refused.
Gruß
Matthias
--
"Programming today is a race between software engineers striving to
build bigger and better idiot-proof programs, and the universe trying to
produce bigger and better idiots. So far, the universe is winning." --
Rich Cook
Re: Problem with tomcat connector in IIS using tomcat 9.0.31
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Matthias,
On 3/9/20 09:43, Matthias Fechner wrote:
> Am 04.03.2020 um 09:17 schrieb Martin Grigorov:
>> Please read this discussion:
>> https://lists.apache.org/thread.html/r9f3a2ea48f2e76f7c092ea2dc4caec7
d15c86f7773281ef6c8cdb817%40%3Cusers.tomcat.apache.org%3E
>>
>>
<https://markmail.org/message/kmx6krqtduqma7jj>
>> The problem and a workaround are explained here:
>> https://lists.apache.org/thread.html/r3720861ca584c0b6794cb8bfffafa18
fa67b514f3df47ce7ea5329ef%40%3Cusers.tomcat.apache.org%3E
>
>>
> thanks, adding this fixed it:
>
> allowedRequestAttributesPattern=".*"
That's not a super-secure solution. You really should specify a
correct whitelist pattern instead of "accept all".
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5muhAACgkQHPApP6U8
pFiQjw//Sqv17ybqBJGsZaMynXAA/fFAfPyf+PknN6p+h+LMc8grPiSxM2Dpc6Tq
ISTYPT+4Pg2GDNBw3kkCTB2+7Z1t4hoetliprnDNJgtdR6WqhgcGhLv57RN+E18Z
fBN9S3gQMCGBwznSMqXnXtXMBJn/ayUIdjJDhwFC/BY++OcObh9UmNM8fkCRDwfy
7OcrP33oqY0Okhl+lYceb5700Yd6kTAbNP657UPjYXrQmbODIIbGmPlcmtOEU0T+
Re7UFpyYZBvBPqNc2DFI94A2EEn1Q/EhWCZvM2bOWdOyxCi0dZ4CVkQdH9VvNiUZ
X3hH4kCAK4NSa7N9Wfci/WOiiYDCHrkOPLyv38ZlsUA0HE2DHmr4c/bgvYLSGNB1
jZha5MuGlp7e80Xrj+ywR8TM+n8XkjX1t2phpVI3V9Lgcw+xa76DySCcIwHy3PZ3
eV1WEX7fAAhVJA4rp+WK1WuBoJ3wmio4wAKZ++5SbWhh8CR0dPXxSrDb2hextIKl
Ey+zz2mjNYIuz/DkaWbsTLzkL5DOfdWbjnOvKLLkZ/GoHsY9MDCpyKkCg/Pz1oky
jgEBX/s5hmqgBwF7TIbg3rEV2LLaR0A9XnUIau7UlCxgRSXYagWsKLy9NWZt1PkR
2sb37n/1z4MK9v2NUh6bM2N9/pOkRJQv9jEMvV47iAOJMnBMeEs=
=27B7
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Problem with tomcat connector in IIS using tomcat 9.0.31
Posted by Matthias Fechner <id...@fechner.net>.
Am 04.03.2020 um 09:17 schrieb Martin Grigorov:
> Please read this discussion:
> https://lists.apache.org/thread.html/r9f3a2ea48f2e76f7c092ea2dc4caec7d15c86f7773281ef6c8cdb817%40%3Cusers.tomcat.apache.org%3E
> <https://markmail.org/message/kmx6krqtduqma7jj>
> The problem and a workaround are explained here:
> https://lists.apache.org/thread.html/r3720861ca584c0b6794cb8bfffafa18fa67b514f3df47ce7ea5329ef%40%3Cusers.tomcat.apache.org%3E
thanks, adding this fixed it:
allowedRequestAttributesPattern=".*"
Gruß
Matthias
--
"Programming today is a race between software engineers striving to
build bigger and better idiot-proof programs, and the universe trying to
produce bigger and better idiots. So far, the universe is winning." --
Rich Cook
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Problem with tomcat connector in IIS using tomcat 9.0.31
Posted by Martin Grigorov <mg...@apache.org>.
Hi Matthias,
Please read this discussion:
https://lists.apache.org/thread.html/r9f3a2ea48f2e76f7c092ea2dc4caec7d15c86f7773281ef6c8cdb817%40%3Cusers.tomcat.apache.org%3E
<https://markmail.org/message/kmx6krqtduqma7jj>
The problem and a workaround are explained here:
https://lists.apache.org/thread.html/r3720861ca584c0b6794cb8bfffafa18fa67b514f3df47ce7ea5329ef%40%3Cusers.tomcat.apache.org%3E
Regards,
Martin
On Wed, Mar 4, 2020 at 9:20 AM Matthias Fechner <id...@fechner.net> wrote:
> Dear all,
>
> as tomcat version 9.0.31 has some security fixes included I tried to do
> an upgrade.
> On the IIS tomcat connector version 1.2.46 is installed.
>
> As secret I use a 32 character long alpha numeric string, I name it here
> token.
> In the workers.properties I tried to define it on the load balancer
> line:
> worker.loadbalancer.secret=token
>
> And/or on each node:
> worker.node1.secret=token
> ...
> worker.node2.secret=token
>
> For the tomcat configuration I defined in server.xml the following AJP
> connector:
> <Connector protocol="AJP/1.3"
> address="::"
> port="8009"
> tomcatAuthentication="false"
> enableLookups="false"
> secret="token"
> redirectPort="8443" />
>
> But it does not work. It seems that tomcat does not answer here.
> If I downgrade to tomcat 9.0.29 it works without any problems.
>
> I started then wireshark and had a look into the traffic coming from the
> IIS.
> From IIS is see a AJP13 connection with the following content in "Apache
> JServ Protocol v1.3" part in wireshark:
> ...
> Sec-Fetch-User: ?1
> token
> INTERNAL\user
> Negotiate
> ...
>
> as the token is here included the secret configuration is maybe correct.
> The token is here equal to the token define on IIS-tomcat-connector and
> the tomcat server.xml AJP definition.
> Tomcat is sending back a "0:RSP:SEND HEADERS:403 403"
>
> The IIS is doing authentication is is then just sending the user to
> tomcat.
>
> Regarding the documentation everything seems to be configured correctly,
> but it does not work.
> Could anyone help me here, please?
>
> --
> Thanks a lot
> Matthias
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>