This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit 2becbfd3228942a18b663ca715ee9c9b80743120
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue Jan 21 15:18:04 2020 +0000

    Add security information for the AJP Connector.
---
 webapps/docs/changelog.xml      |  3 +++
 webapps/docs/config/ajp.xml     | 10 +++++++++-
 webapps/docs/security-howto.xml |  8 ++++++++
 3 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 7538af1..1f6c84d 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -237,6 +237,9 @@
         example includes ii18n support, the Locale used should be based on the
         request locale and not the server locale. (markt)
       </fix>
+      <add>
+        Add additional information on securing AJP/1.3 Connectors. (markt)
+      </add>
     </changelog>
   </subsection>
   <subsection name="Other">
diff --git a/webapps/docs/config/ajp.xml b/webapps/docs/config/ajp.xml
index 3fa0203..6189f23 100644
--- a/webapps/docs/config/ajp.xml
+++ b/webapps/docs/config/ajp.xml
@@ -44,6 +44,13 @@
   contained in the web application, and/or utilize Apache's SSL
   processing.</p>
 
+  <p>Use of the AJP protocol requires additional security considerations 
because
+  it allows greater direct manipulation of Tomcat's internal data structures
+  than the HTTP connectors. Particular attention should be paid to the values
+  used for the <code>address</code>, <code>secret</code>,
+  <code>secretRequired</code> and 
<code>allowedArbitraryRequestAttributes</code>
+  attributes.</p>
+
   <p>This connector supports load balancing when used in conjunction with
   the <code>jvmRoute</code> attribute of the
   <a href="engine.html">Engine</a>.</p>
@@ -468,7 +475,8 @@
       <p>If this attribute is <code>true</code>, the AJP Connector will only
       start if the <strong>secret</strong> attribute is configured with a
       non-null, non-zero length value. The default value is <code>true</code>.
-      </p>
+      This attributue should only be set to <code>false</code> when the
+      Connector is used on a trusted network.</p>
     </attribute>
 
     <attribute name="tcpNoDelay" required="false">
diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml
index a9b2ec8..5961cd0 100644
--- a/webapps/docs/security-howto.xml
+++ b/webapps/docs/security-howto.xml
@@ -249,6 +249,14 @@
       <p>By default, a non-TLS, HTTP/1.1 connector is configured on port 8080.
       Connectors that will not be used should be removed from server.xml.</p>
 
+      <p>AJP Connectors should only be used on trusted networks or be
+      appropriately secured with a suitable <code>secret</code> attribute.</p>
+
+      <p>AJP Connectors block forwarded requests with unknown request
+      attributes. Known safe and/or expected attributes may be allowed by
+      configuration an appropriate regular expression for the
+      <code>allowedArbitraryRequestAttributes</code> attribute.</p>
+
       <p>The <strong>address</strong> attribute may be used to control which IP
       address a connector listens on for connections. By default, a connector
       listens on all configured IP addresses.</p>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to