You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2020/02/04 18:45:54 UTC
[tomcat] branch master updated (ae8c82e -> 38a0fd9)
This is an automated email from the ASF dual-hosted git repository.
markt pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git.
from ae8c82e Stricter header value parsing
new 86768e4 Disable AJP connector by default
new aba0c9a Change the default bind address for AJP to the loopback address
new a41145c Rename requiredSecret to secret and add secretRequired
new 2e10858 Add new AJP attribute allowedArbitraryRequestAttribute
new 38a0fd9 Add security information for the AJP Connector.
The 5 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
TOMCAT-NEXT.txt | 2 -
conf/server.xml | 3 +-
.../org/apache/coyote/ajp/AbstractAjpProtocol.java | 66 +++++++++++++++++++++-
java/org/apache/coyote/ajp/AjpProcessor.java | 32 ++++++++---
java/org/apache/coyote/ajp/LocalStrings.properties | 1 +
res/tomcat.nsi | 21 -------
webapps/docs/config/ajp.xml | 46 +++++++++++++--
webapps/docs/manager-howto.xml | 2 -
webapps/docs/security-howto.xml | 16 ++++--
webapps/docs/setup.xml | 1 -
10 files changed, 143 insertions(+), 47 deletions(-)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 02/05: Change the default bind address for AJP to the
loopback address
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit aba0c9a488a7d7e5063779e88f652cdca439cd24
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue Jan 21 13:02:13 2020 +0000
Change the default bind address for AJP to the loopback address
---
java/org/apache/coyote/ajp/AbstractAjpProtocol.java | 4 ++++
webapps/docs/config/ajp.xml | 5 +----
2 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/java/org/apache/coyote/ajp/AbstractAjpProtocol.java b/java/org/apache/coyote/ajp/AbstractAjpProtocol.java
index 2500abd..8e0593b 100644
--- a/java/org/apache/coyote/ajp/AbstractAjpProtocol.java
+++ b/java/org/apache/coyote/ajp/AbstractAjpProtocol.java
@@ -16,6 +16,8 @@
*/
package org.apache.coyote.ajp;
+import java.net.InetAddress;
+
import org.apache.coyote.AbstractProtocol;
import org.apache.coyote.Processor;
import org.apache.coyote.UpgradeProtocol;
@@ -46,6 +48,8 @@ public abstract class AbstractAjpProtocol<S> extends AbstractProtocol<S> {
setConnectionTimeout(Constants.DEFAULT_CONNECTION_TIMEOUT);
// AJP does not use Send File
getEndpoint().setUseSendfile(false);
+ // AJP listens on loopback by default
+ getEndpoint().setAddress(InetAddress.getLoopbackAddress());
ConnectionHandler<S> cHandler = new ConnectionHandler<>(this);
setHandler(cHandler);
getEndpoint().setHandler(cHandler);
diff --git a/webapps/docs/config/ajp.xml b/webapps/docs/config/ajp.xml
index c70af91..5535a06 100644
--- a/webapps/docs/config/ajp.xml
+++ b/webapps/docs/config/ajp.xml
@@ -308,10 +308,7 @@
<attribute name="address" required="false">
<p>For servers with more than one IP address, this attribute
specifies which address will be used for listening on the specified
- port. By default, this port will be used on all IP addresses
- associated with the server. A value of <code>127.0.0.1</code>
- indicates that the Connector will only listen on the loopback
- interface.</p>
+ port. By default, the loopback address will be used.</p>
</attribute>
<attribute name="bindOnInit" required="false">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 04/05: Add new AJP attribute
allowedArbitraryRequestAttribute
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 2e108583e8665fdc61970137a409f15c4df3a36f
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue Jan 21 15:04:12 2020 +0000
Add new AJP attribute allowedArbitraryRequestAttribute
Requests with unrecognised attributes will be blocked with a 403
---
java/org/apache/coyote/ajp/AbstractAjpProtocol.java | 13 +++++++++++++
java/org/apache/coyote/ajp/AjpProcessor.java | 20 +++++++++++++++++++-
webapps/docs/config/ajp.xml | 19 +++++++++++++++++++
3 files changed, 51 insertions(+), 1 deletion(-)
diff --git a/java/org/apache/coyote/ajp/AbstractAjpProtocol.java b/java/org/apache/coyote/ajp/AbstractAjpProtocol.java
index 81da7da..a2f5e28 100644
--- a/java/org/apache/coyote/ajp/AbstractAjpProtocol.java
+++ b/java/org/apache/coyote/ajp/AbstractAjpProtocol.java
@@ -17,6 +17,7 @@
package org.apache.coyote.ajp;
import java.net.InetAddress;
+import java.util.regex.Pattern;
import org.apache.coyote.AbstractProtocol;
import org.apache.coyote.Processor;
@@ -188,6 +189,18 @@ public abstract class AbstractAjpProtocol<S> extends AbstractProtocol<S> {
}
+ private Pattern allowedArbitraryRequestAttributesPattern;
+ public void setAllowedArbitraryRequestAttributes(String allowedArbitraryRequestAttributes) {
+ this.allowedArbitraryRequestAttributesPattern = Pattern.compile(allowedArbitraryRequestAttributes);
+ }
+ public String getAllowedArbitraryRequestAttributes() {
+ return allowedArbitraryRequestAttributesPattern.pattern();
+ }
+ protected Pattern getAllowedArbitraryRequestAttributesPattern() {
+ return allowedArbitraryRequestAttributesPattern;
+ }
+
+
/**
* AJP packet size.
*/
diff --git a/java/org/apache/coyote/ajp/AjpProcessor.java b/java/org/apache/coyote/ajp/AjpProcessor.java
index 128c1a0..226d210 100644
--- a/java/org/apache/coyote/ajp/AjpProcessor.java
+++ b/java/org/apache/coyote/ajp/AjpProcessor.java
@@ -28,6 +28,8 @@ import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
import jakarta.servlet.http.HttpServletResponse;
@@ -742,12 +744,28 @@ public class AjpProcessor extends AbstractProcessor {
}
} else if(n.equals(Constants.SC_A_SSL_PROTOCOL)) {
request.setAttribute(SSLSupport.PROTOCOL_VERSION_KEY, v);
+ } else if (n.equals("JK_LB_ACTIVATION")) {
+ request.setAttribute(n, v);
} else if (jakartaAttributeMapping.containsKey(n)) {
// AJP uses the Java Servlet attribute names.
// Need to convert these to Jakarta SAervlet.
request.setAttribute(jakartaAttributeMapping.get(n), v);
} else {
- request.setAttribute(n, v );
+ // All 'known' attributes will be processed by the previous
+ // blocks. Any remaining attribute is an 'arbitrary' one.
+ Pattern pattern = protocol.getAllowedArbitraryRequestAttributesPattern();
+ if (pattern == null) {
+ response.setStatus(403);
+ setErrorState(ErrorState.CLOSE_CLEAN, null);
+ } else {
+ Matcher m = pattern.matcher(n);
+ if (m.matches()) {
+ request.setAttribute(n, v);
+ } else {
+ response.setStatus(403);
+ setErrorState(ErrorState.CLOSE_CLEAN, null);
+ }
+ }
}
break;
diff --git a/webapps/docs/config/ajp.xml b/webapps/docs/config/ajp.xml
index 3999a13..69348a1 100644
--- a/webapps/docs/config/ajp.xml
+++ b/webapps/docs/config/ajp.xml
@@ -311,6 +311,25 @@
port. By default, the loopback address will be used.</p>
</attribute>
+ <attribute name="allowedArbitraryRequestAttributes" required="false">
+ <p>The AJP protocol passes some information from the reverse proxy to the
+ AJP connector using request attributes. These attributes are:</p>
+ <ul>
+ <li>javax.servlet.request.cipher_suite</li>
+ <li>javax.servlet.request.key_size</li>
+ <li>javax.servlet.request.ssl_session</li>
+ <li>javax.servlet.request.X509Certificate</li>
+ <li>AJP_LOCAL_ADDR</li>
+ <li>AJP_REMOTE_PORT</li>
+ <li>AJP_SSL_PROTOCOL</li>
+ <li>JK_LB_ACTIVATION</li>
+ </ul>
+ <p>The AJP protocol supports the passing of arbitrary request attributes.
+ Requests containing arbitrary request attributes will be rejected with a
+ 403 response unless the entire attribute name matches this regular
+ expression. If not specified, the default value is <code>null</code>.</p>
+ </attribute>
+
<attribute name="bindOnInit" required="false">
<p>Controls when the socket used by the connector is bound. By default it
is bound when the connector is initiated and unbound when the connector is
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 01/05: Disable AJP connector by default
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 86768e423a6ca0ae32e64acb65c9ae8dccf52256
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue Jan 21 12:41:01 2020 +0000
Disable AJP connector by default
---
TOMCAT-NEXT.txt | 2 --
conf/server.xml | 3 ++-
res/tomcat.nsi | 21 ---------------------
webapps/docs/manager-howto.xml | 2 --
webapps/docs/security-howto.xml | 8 ++++----
webapps/docs/setup.xml | 1 -
6 files changed, 6 insertions(+), 31 deletions(-)
diff --git a/TOMCAT-NEXT.txt b/TOMCAT-NEXT.txt
index 95d6376..3be3e12 100644
--- a/TOMCAT-NEXT.txt
+++ b/TOMCAT-NEXT.txt
@@ -47,8 +47,6 @@ New items for 10.0.0.x onwards:
7. Refactor DefaultServlet to use Ranges in parseRanges().
- 8. Consider disabling the AJP connector by default.
-
Deferred until 10.0.x:
diff --git a/conf/server.xml b/conf/server.xml
index 2cd78df..5d9d57a 100644
--- a/conf/server.xml
+++ b/conf/server.xml
@@ -113,8 +113,9 @@
-->
<!-- Define an AJP 1.3 Connector on port 8009 -->
+ <!--
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
-
+ -->
<!-- An Engine represents the entry point (within Catalina) that processes
every request. The Engine implementation for Tomcat stand alone
diff --git a/res/tomcat.nsi b/res/tomcat.nsi
index 60d1f09..c06df50 100644
--- a/res/tomcat.nsi
+++ b/res/tomcat.nsi
@@ -53,7 +53,6 @@ Var Arch
Var ResetInstDir
Var TomcatPortShutdown
Var TomcatPortHttp
-Var TomcatPortAjp
Var TomcatMenuEntriesEnable
Var TomcatShortcutAllUsers
Var TomcatServiceName
@@ -70,7 +69,6 @@ Var TomcatAdminRoles
Var CtlJavaHome
Var CtlTomcatPortShutdown
Var CtlTomcatPortHttp
-Var CtlTomcatPortAjp
Var CtlTomcatServiceName
Var CtlTomcatShortcutAllUsers
Var CtlTomcatAdminUsername
@@ -135,7 +133,6 @@ Var ServiceInstallLog
LangString TEXT_JVM_LABEL1 ${LANG_ENGLISH} "Please select the path of a Java @MIN_JAVA_VERSION@ or later JRE installed on your system."
LangString TEXT_CONF_LABEL_PORT_SHUTDOWN ${LANG_ENGLISH} "Server Shutdown Port"
LangString TEXT_CONF_LABEL_PORT_HTTP ${LANG_ENGLISH} "HTTP/1.1 Connector Port"
- LangString TEXT_CONF_LABEL_PORT_AJP ${LANG_ENGLISH} "AJP/1.3 Connector Port"
LangString TEXT_CONF_LABEL_SERVICE_NAME ${LANG_ENGLISH} "Windows Service Name"
LangString TEXT_CONF_LABEL_SHORTCUT_ALL_USERS ${LANG_ENGLISH} "Create shortcuts for all users"
LangString TEXT_CONF_LABEL_ADMIN ${LANG_ENGLISH} "Tomcat Administrator Login (optional)"
@@ -459,7 +456,6 @@ Function .onInit
StrCpy $JavaHome ""
StrCpy $TomcatPortShutdown "-1"
StrCpy $TomcatPortHttp "8080"
- StrCpy $TomcatPortAjp "8009"
StrCpy $TomcatMenuEntriesEnable "0"
StrCpy $TomcatShortcutAllUsers "0"
StrCpy $TomcatServiceDefaultName "Tomcat@VERSION_MAJOR@"
@@ -477,7 +473,6 @@ Function .onInit
${ReadFromConfigIni} $JavaHome "JavaHome" $R2
${ReadFromConfigIni} $TomcatPortShutdown "TomcatPortShutdown" $R2
${ReadFromConfigIni} $TomcatPortHttp "TomcatPortHttp" $R2
- ${ReadFromConfigIni} $TomcatPortAjp "TomcatPortAjp" $R2
${ReadFromConfigIni} $TomcatMenuEntriesEnable "TomcatMenuEntriesEnable" $R2
${ReadFromConfigIni} $TomcatShortcutAllUsers "TomcatShortcutAllUsers" $R2
${ReadFromConfigIni} $TomcatServiceDefaultName "TomcatServiceDefaultName" $R2
@@ -603,13 +598,6 @@ Function pageConfiguration
Pop $CtlTomcatPortHttp
${NSD_SetTextLimit} $CtlTomcatPortHttp 5
- ${NSD_CreateLabel} 0 36u 100u 14u "$(TEXT_CONF_LABEL_PORT_AJP)"
- Pop $R0
-
- ${NSD_CreateText} 150u 34u 50u 12u "$TomcatPortAjp"
- Pop $CtlTomcatPortAjp
- ${NSD_SetTextLimit} $CtlTomcatPortAjp 5
-
${NSD_CreateLabel} 0 57u 140u 14u "$(TEXT_CONF_LABEL_SERVICE_NAME)"
Pop $R0
@@ -647,7 +635,6 @@ FunctionEnd
Function pageConfigurationLeave
${NSD_GetText} $CtlTomcatPortShutdown $TomcatPortShutdown
${NSD_GetText} $CtlTomcatPortHttp $TomcatPortHttp
- ${NSD_GetText} $CtlTomcatPortAjp $TomcatPortAjp
${NSD_GetText} $CtlTomcatServiceName $TomcatServiceName
${If} $TomcatMenuEntriesEnable == "1"
${NSD_GetState} $CtlTomcatShortcutAllUsers $TomcatShortcutAllUsers
@@ -670,12 +657,6 @@ Function pageConfigurationLeave
Goto exit
${EndIf}
- ${If} $TomcatPortAjp == ""
- MessageBox MB_ICONEXCLAMATION|MB_OK 'The AJP port may not be empty'
- Abort "Config not right"
- Goto exit
- ${EndIf}
-
${If} $TomcatServiceName == ""
MessageBox MB_ICONEXCLAMATION|MB_OK 'The Service Name may not be empty'
Abort "Config not right"
@@ -1064,7 +1045,6 @@ Function configure
IfErrors SERVER_XML_LEAVELOOP
${StrRep} $R4 $R3 "8005" "$TomcatPortShutdown"
${StrRep} $R3 $R4 "8080" "$TomcatPortHttp"
- ${StrRep} $R4 $R3 "8009" "$TomcatPortAjp"
FileWrite $R2 $R4
Goto SERVER_XML_LOOP
SERVER_XML_LEAVELOOP:
@@ -1082,7 +1062,6 @@ Function configure
DetailPrint 'Server shutdown listener configured on port "$TomcatPortShutdown"'
DetailPrint 'HTTP/1.1 Connector configured on port "$TomcatPortHttp"'
- DetailPrint 'AJP/1.3 Connector configured on port "$TomcatPortAjp"'
DetailPrint "server.xml written"
StrCpy $R5 ''
diff --git a/webapps/docs/manager-howto.xml b/webapps/docs/manager-howto.xml
index ba445ca..351e89b 100644
--- a/webapps/docs/manager-howto.xml
+++ b/webapps/docs/manager-howto.xml
@@ -918,8 +918,6 @@ currently configured for each virtual host.</p>
<source>OK - Connector / Trusted Certificate information
Connector[HTTP/1.1-8080]
SSL is not enabled for this connector
-Connector[AJP/1.3-8009]
-SSL is not enabled for this connector
Connector[HTTP/1.1-8443]-_default_
[
[
diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml
index b54a7dc..4d5726d 100644
--- a/webapps/docs/security-howto.xml
+++ b/webapps/docs/security-howto.xml
@@ -246,12 +246,12 @@
</subsection>
<subsection name="Connectors">
- <p>By default, an HTTP and an AJP connector are configured. Connectors
- that will not be used should be removed from server.xml.</p>
+ <p>By default, a non-TLS, HTTP/1.1 connector is configured on port 8080.
+ Connectors that will not be used should be removed from server.xml.</p>
<p>The <strong>address</strong> attribute may be used to control which IP
- address the connector listens on for connections. By default, the
- connector listens on all configured IP addresses.</p>
+ address a connector listens on for connections. By default, a connector
+ listens on all configured IP addresses.</p>
<p>The <strong>allowTrace</strong> attribute may be used to enable TRACE
requests which can be useful for debugging. Due to the way some browsers
diff --git a/webapps/docs/setup.xml b/webapps/docs/setup.xml
index 3655063..8daf5c1 100644
--- a/webapps/docs/setup.xml
+++ b/webapps/docs/setup.xml
@@ -85,7 +85,6 @@
<li>JavaHome</li>
<li>TomcatPortShutdown</li>
<li>TomcatPortHttp</li>
- <li>TomcatPortAjp</li>
<li>TomcatMenuEntriesEnable</li>
<li>TomcatShortcutAllUsers</li>
<li>TomcatServiceDefaultName</li>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 03/05: Rename requiredSecret to secret and add
secretRequired
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit a41145cc0c564a7f5feff9ac4263a46ba8c0f4e7
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue Jan 21 14:24:33 2020 +0000
Rename requiredSecret to secret and add secretRequired
AJP Connector will not start if secretRequired="true" and secret is set
to null or zero length String.
---
.../org/apache/coyote/ajp/AbstractAjpProtocol.java | 49 ++++++++++++++++++++--
java/org/apache/coyote/ajp/AjpProcessor.java | 12 +++---
java/org/apache/coyote/ajp/LocalStrings.properties | 1 +
webapps/docs/config/ajp.xml | 12 +++++-
4 files changed, 64 insertions(+), 10 deletions(-)
diff --git a/java/org/apache/coyote/ajp/AbstractAjpProtocol.java b/java/org/apache/coyote/ajp/AbstractAjpProtocol.java
index 8e0593b..81da7da 100644
--- a/java/org/apache/coyote/ajp/AbstractAjpProtocol.java
+++ b/java/org/apache/coyote/ajp/AbstractAjpProtocol.java
@@ -143,17 +143,48 @@ public abstract class AbstractAjpProtocol<S> extends AbstractProtocol<S> {
}
- private String requiredSecret = null;
+ private String secret = null;
+ /**
+ * Set the secret that must be included with every request.
+ *
+ * @param secret The required secret
+ */
+ public void setSecret(String secret) {
+ this.secret = secret;
+ }
+ protected String getSecret() {
+ return secret;
+ }
/**
* Set the required secret that must be included with every request.
*
* @param requiredSecret The required secret
+ *
+ * @deprecated Replaced by {@link #setSecret(String)}.
+ * Will be removed in Tomcat 11 onwards
*/
+ @Deprecated
public void setRequiredSecret(String requiredSecret) {
- this.requiredSecret = requiredSecret;
+ setSecret(requiredSecret);
}
+ /**
+ * @return The current secret
+ *
+ * @deprecated Replaced by {@link #getSecret()}.
+ * Will be removed in Tomcat 11 onwards
+ */
+ @Deprecated
protected String getRequiredSecret() {
- return requiredSecret;
+ return getSecret();
+ }
+
+
+ private boolean secretRequired = true;
+ public void setSecretRequired(boolean secretRequired) {
+ this.secretRequired = secretRequired;
+ }
+ public boolean getSecretRequired() {
+ return secretRequired;
}
@@ -210,4 +241,16 @@ public abstract class AbstractAjpProtocol<S> extends AbstractProtocol<S> {
throw new IllegalStateException(sm.getString("ajpprotocol.noUpgradeHandler",
upgradeToken.getHttpUpgradeHandler().getClass().getName()));
}
+
+
+ @Override
+ public void init() throws Exception {
+ if (getSecretRequired()) {
+ String secret = getSecret();
+ if (secret == null || secret.length() == 0) {
+ throw new IllegalArgumentException(sm.getString("ajpprotocol.nosecret"));
+ }
+ }
+ super.init();
+ }
}
diff --git a/java/org/apache/coyote/ajp/AjpProcessor.java b/java/org/apache/coyote/ajp/AjpProcessor.java
index 0c593ba..128c1a0 100644
--- a/java/org/apache/coyote/ajp/AjpProcessor.java
+++ b/java/org/apache/coyote/ajp/AjpProcessor.java
@@ -712,8 +712,8 @@ public class AjpProcessor extends AbstractProcessor {
}
// Decode extra attributes
- String requiredSecret = protocol.getRequiredSecret();
- boolean secret = false;
+ String secret = protocol.getSecret();
+ boolean secretPresentInRequest = false;
byte attributeCode;
while ((attributeCode = requestHeaderMessage.getByte())
!= Constants.SC_A_ARE_DONE) {
@@ -819,9 +819,9 @@ public class AjpProcessor extends AbstractProcessor {
case Constants.SC_A_SECRET:
requestHeaderMessage.getBytes(tmpMB);
- if (requiredSecret != null) {
- secret = true;
- if (!tmpMB.equals(requiredSecret)) {
+ if (secret != null) {
+ secretPresentInRequest = true;
+ if (!tmpMB.equals(secret)) {
response.setStatus(403);
setErrorState(ErrorState.CLOSE_CLEAN, null);
}
@@ -837,7 +837,7 @@ public class AjpProcessor extends AbstractProcessor {
}
// Check if secret was submitted if required
- if ((requiredSecret != null) && !secret) {
+ if ((secret != null) && !secretPresentInRequest) {
response.setStatus(403);
setErrorState(ErrorState.CLOSE_CLEAN, null);
}
diff --git a/java/org/apache/coyote/ajp/LocalStrings.properties b/java/org/apache/coyote/ajp/LocalStrings.properties
index 9b569bb..01de92a 100644
--- a/java/org/apache/coyote/ajp/LocalStrings.properties
+++ b/java/org/apache/coyote/ajp/LocalStrings.properties
@@ -28,5 +28,6 @@ ajpprocessor.request.prepare=Error preparing request
ajpprocessor.request.process=Error processing request
ajpprotocol.noSSL=SSL is not supported with AJP. The SSL host configuration for [{0}] was ignored
+ajpprotocol.nosecret=The AJP Connector is configured with secretRequired="true" but the secret attribute is either null or "". This combination is not valid.
ajpprotocol.noUpgrade=Upgrade is not supported with AJP. The UpgradeProtocol configuration for [{0}] was ignored
ajpprotocol.noUpgradeHandler=Upgrade is not supported with AJP. The HttpUpgradeHandler [{0}] can not be processed
diff --git a/webapps/docs/config/ajp.xml b/webapps/docs/config/ajp.xml
index 5535a06..3999a13 100644
--- a/webapps/docs/config/ajp.xml
+++ b/webapps/docs/config/ajp.xml
@@ -428,8 +428,18 @@
expected concurrent requests (synchronous and asynchronous).</p>
</attribute>
- <attribute name="requiredSecret" required="false">
+ <attribute name="secret" required="false">
<p>Only requests from workers with this secret keyword will be accepted.
+ The default value is <code>null</code>. This attrbute must be specified
+ with a non-null, non-zero length value unless
+ <strong>secretRequired</strong> is explicitly configured to be
+ <code>false</code>.</p>
+ </attribute>
+
+ <attribute name="secretRequired" required="false">
+ <p>If this attribute is <code>true</code>, the AJP Connector will only
+ start if the <strong>secret</strong> attribute is configured with a
+ non-null, non-zero length value. The default value is <code>true</code>.
</p>
</attribute>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 05/05: Add security information for the AJP Connector.
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 38a0fd9bb287e9e70eb61a5d8ea12cf602fb6398
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue Jan 21 15:18:04 2020 +0000
Add security information for the AJP Connector.
---
webapps/docs/config/ajp.xml | 10 +++++++++-
webapps/docs/security-howto.xml | 8 ++++++++
2 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/webapps/docs/config/ajp.xml b/webapps/docs/config/ajp.xml
index 69348a1..dbecf7a 100644
--- a/webapps/docs/config/ajp.xml
+++ b/webapps/docs/config/ajp.xml
@@ -44,6 +44,13 @@
contained in the web application, and/or utilize Apache's SSL
processing.</p>
+ <p>Use of the AJP protocol requires additional security considerations because
+ it allows greater direct manipulation of Tomcat's internal data structures
+ than the HTTP connectors. Particular attention should be paid to the values
+ used for the <code>address</code>, <code>secret</code>,
+ <code>secretRequired</code> and <code>allowedArbitraryRequestAttributes</code>
+ attributes.</p>
+
<p>This connector supports load balancing when used in conjunction with
the <code>jvmRoute</code> attribute of the
<a href="engine.html">Engine</a>.</p>
@@ -459,7 +466,8 @@
<p>If this attribute is <code>true</code>, the AJP Connector will only
start if the <strong>secret</strong> attribute is configured with a
non-null, non-zero length value. The default value is <code>true</code>.
- </p>
+ This attributue should only be set to <code>false</code> when the
+ Connector is used on a trusted network.</p>
</attribute>
<attribute name="tcpNoDelay" required="false">
diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml
index 4d5726d..dfc03cc 100644
--- a/webapps/docs/security-howto.xml
+++ b/webapps/docs/security-howto.xml
@@ -249,6 +249,14 @@
<p>By default, a non-TLS, HTTP/1.1 connector is configured on port 8080.
Connectors that will not be used should be removed from server.xml.</p>
+ <p>AJP Connectors should only be used on trusted networks or be
+ appropriately secured with a suitable <code>secret</code> attribute.</p>
+
+ <p>AJP Connectors block forwarded requests with unknown request
+ attributes. Known safe and/or expected attributes may be allowed by
+ configuration an appropriate regular expression for the
+ <code>allowedArbitraryRequestAttributes</code> attribute.</p>
+
<p>The <strong>address</strong> attribute may be used to control which IP
address a connector listens on for connections. By default, a connector
listens on all configured IP addresses.</p>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org