You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2020/02/26 12:46:43 UTC
[tomcat] branch 7.0.x updated: Fix AJP Connector when requests
forwarded from IIS originally use TLS
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/7.0.x by this push:
new 0d4255d Fix AJP Connector when requests forwarded from IIS originally use TLS
0d4255d is described below
commit 0d4255dabddcc0dddf58c75dc258b8aeca38d232
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Feb 26 12:34:11 2020 +0000
Fix AJP Connector when requests forwarded from IIS originally use TLS
Add the TLS request attributes used by IIS to the attributes that an AJP
Connector will always accept.
---
java/org/apache/coyote/ajp/AbstractAjpProcessor.java | 16 ++++++++++++++++
webapps/docs/changelog.xml | 8 ++++++++
webapps/docs/config/ajp.xml | 9 +++++++++
3 files changed, 33 insertions(+)
diff --git a/java/org/apache/coyote/ajp/AbstractAjpProcessor.java b/java/org/apache/coyote/ajp/AbstractAjpProcessor.java
index e68b458..5be3af1 100644
--- a/java/org/apache/coyote/ajp/AbstractAjpProcessor.java
+++ b/java/org/apache/coyote/ajp/AbstractAjpProcessor.java
@@ -85,6 +85,7 @@ public abstract class AbstractAjpProcessor<S> extends AbstractProcessor<S> {
private static final Set<String> javaxAttributes;
+ private static final Set<String> iisTlsAttributes;
static {
@@ -135,6 +136,18 @@ public abstract class AbstractAjpProcessor<S> extends AbstractProcessor<S> {
s.add("javax.servlet.request.ssl_session");
s.add("javax.servlet.request.X509Certificate");
javaxAttributes= Collections.unmodifiableSet(s);
+
+ Set<String> iis = new HashSet<String>();
+ iis.add("CERT_ISSUER");
+ iis.add("CERT_SUBJECT");
+ iis.add("CERT_COOKIE");
+ iis.add("HTTPS_SERVER_SUBJECT");
+ iis.add("CERT_FLAGS");
+ iis.add("HTTPS_SECRETKEYSIZE");
+ iis.add("CERT_SERIALNUMBER");
+ iis.add("HTTPS_SERVER_ISSUER");
+ iis.add("HTTPS_KEYSIZE");
+ iisTlsAttributes = Collections.unmodifiableSet(iis);
}
@@ -893,6 +906,9 @@ public abstract class AbstractAjpProcessor<S> extends AbstractProcessor<S> {
request.setAttribute(n, v);
} else if (javaxAttributes.contains(n)) {
request.setAttribute(n, v);
+ } else if (iisTlsAttributes.contains(n)) {
+ // Allow IIS TLS attributes
+ request.setAttribute(n, v);
} else {
// All 'known' attributes will be processed by the previous
// blocks. Any remaining attribute is an 'arbitrary' one.
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 10d3845..66b009b 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -82,6 +82,14 @@
</fix>
</changelog>
</subsection>
+ <subsection name="Coyote">
+ <changelog>
+ <fix>
+ Add the TLS request attributes used by IIS to the attributes that an AJP
+ Connector will always accept. (markt)
+ </fix>
+ </changelog>
+ </subsection>
</section>
<section name="Tomcat 7.0.100 (violetagg)" rtext="released 2020-02-14">
<subsection name="Catalina">
diff --git a/webapps/docs/config/ajp.xml b/webapps/docs/config/ajp.xml
index b3dd171..43f202d 100644
--- a/webapps/docs/config/ajp.xml
+++ b/webapps/docs/config/ajp.xml
@@ -321,6 +321,15 @@
<li>AJP_REMOTE_PORT</li>
<li>AJP_SSL_PROTOCOL</li>
<li>JK_LB_ACTIVATION</li>
+ <li>CERT_ISSUER (IIS only)</li>
+ <li>CERT_SUBJECT (IIS only)</li>
+ <li>CERT_COOKIE (IIS only)</li>
+ <li>HTTPS_SERVER_SUBJECT (IIS only)</li>
+ <li>CERT_FLAGS (IIS only)</li>
+ <li>HTTPS_SECRETKEYSIZE (IIS only)</li>
+ <li>CERT_SERIALNUMBER (IIS only)</li>
+ <li>HTTPS_SERVER_ISSUER (IIS only)</li>
+ <li>HTTPS_KEYSIZE (IIS only)</li>
</ul>
<p>The AJP protocol supports the passing of arbitrary request attributes.
Requests containing arbitrary request attributes will be rejected with a
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org