You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2020/02/26 12:34:30 UTC

[tomcat] branch master updated: Fix AJP Connector when requests forwarded from IIS originally use TLS

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/master by this push:
     new 235666f  Fix AJP Connector when requests forwarded from IIS originally use TLS
235666f is described below

commit 235666fe9db4c58e4ba06f41732d96f900544269
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Feb 26 12:34:11 2020 +0000

    Fix AJP Connector when requests forwarded from IIS originally use TLS
    
    Add the TLS request attributes used by IIS to the attributes that an AJP
    Connector will always accept.
---
 java/org/apache/coyote/ajp/AjpProcessor.java | 18 ++++++++++++++++++
 webapps/docs/changelog.xml                   |  4 ++++
 webapps/docs/config/ajp.xml                  |  9 +++++++++
 3 files changed, 31 insertions(+)

diff --git a/java/org/apache/coyote/ajp/AjpProcessor.java b/java/org/apache/coyote/ajp/AjpProcessor.java
index ebe1353..9db523b 100644
--- a/java/org/apache/coyote/ajp/AjpProcessor.java
+++ b/java/org/apache/coyote/ajp/AjpProcessor.java
@@ -27,7 +27,9 @@ import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
 import java.util.Collections;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.Map;
+import java.util.Set;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
@@ -84,6 +86,7 @@ public class AjpProcessor extends AbstractProcessor {
 
 
     private static final Map<String,String> jakartaAttributeMapping;
+    private static final Set<String> iisTlsAttributes;
 
 
     static {
@@ -138,6 +141,18 @@ public class AjpProcessor extends AbstractProcessor {
         m.put("javax.servlet.request.ssl_session", "jakarta.servlet.request.ssl_session");
         m.put("javax.servlet.request.X509Certificate", "jakarta.servlet.request.X509Certificate");
         jakartaAttributeMapping = Collections.unmodifiableMap(m);
+
+        Set<String> s = new HashSet<>();
+        s.add("CERT_ISSUER");
+        s.add("CERT_SUBJECT");
+        s.add("CERT_COOKIE");
+        s.add("HTTPS_SERVER_SUBJECT");
+        s.add("CERT_FLAGS");
+        s.add("HTTPS_SECRETKEYSIZE");
+        s.add("CERT_SERIALNUMBER");
+        s.add("HTTPS_SERVER_ISSUER");
+        s.add("HTTPS_KEYSIZE");
+        iisTlsAttributes = Collections.unmodifiableSet(s);
     }
 
 
@@ -754,6 +769,9 @@ public class AjpProcessor extends AbstractProcessor {
                     // AJP uses the Java Servlet attribute names.
                     // Need to convert these to Jakarta Servlet.
                     request.setAttribute(jakartaAttributeMapping.get(n), v);
+                } else if (iisTlsAttributes.contains(n)) {
+                    // Allow IIS TLS attributes
+                    request.setAttribute(n, v);
                 } else {
                     // All 'known' attributes will be processed by the previous
                     // blocks. Any remaining attribute is an 'arbitrary' one.
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index dd93f38..60c9097 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -79,6 +79,10 @@
         Improve robustness of OpenSSLEngine shutdown. Based on code submitted
         by Manuel Dominguez Sarmiento. (remm)
       </fix>
+      <fix>
+        Add the TLS request attributes used by IIS to the attributes that an AJP
+        Connector will always accept. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Cluster">
diff --git a/webapps/docs/config/ajp.xml b/webapps/docs/config/ajp.xml
index 9760e80..12b554d 100644
--- a/webapps/docs/config/ajp.xml
+++ b/webapps/docs/config/ajp.xml
@@ -330,6 +330,15 @@
         <li>AJP_REMOTE_PORT</li>
         <li>AJP_SSL_PROTOCOL</li>
         <li>JK_LB_ACTIVATION</li>
+        <li>CERT_ISSUER (IIS only)</li>
+        <li>CERT_SUBJECT (IIS only)</li>
+        <li>CERT_COOKIE (IIS only)</li>
+        <li>HTTPS_SERVER_SUBJECT (IIS only)</li>
+        <li>CERT_FLAGS (IIS only)</li>
+        <li>HTTPS_SECRETKEYSIZE (IIS only)</li>
+        <li>CERT_SERIALNUMBER (IIS only)</li>
+        <li>HTTPS_SERVER_ISSUER (IIS only)</li>
+        <li>HTTPS_KEYSIZE (IIS only)</li>
       </ul>
       <p>The AJP protocol supports the passing of arbitrary request attributes.
       Requests containing arbitrary request attributes will be rejected with a


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org