This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 2becbfd3228942a18b663ca715ee9c9b80743120
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue Jan 21 15:18:04 2020 +0000
Add security information for the AJP Connector.
---
webapps/docs/changelog.xml | 3 +++
webapps/docs/config/ajp.xml | 10 +++++++++-
webapps/docs/security-howto.xml | 8 ++++++++
3 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 7538af1..1f6c84d 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -237,6 +237,9 @@
example includes ii18n support, the Locale used should be based on the
request locale and not the server locale. (markt)
</fix>
+ <add>
+ Add additional information on securing AJP/1.3 Connectors. (markt)
+ </add>
</changelog>
</subsection>
<subsection name="Other">
diff --git a/webapps/docs/config/ajp.xml b/webapps/docs/config/ajp.xml
index 3fa0203..6189f23 100644
--- a/webapps/docs/config/ajp.xml
+++ b/webapps/docs/config/ajp.xml
@@ -44,6 +44,13 @@
contained in the web application, and/or utilize Apache's SSL
processing.</p>
+ <p>Use of the AJP protocol requires additional security considerations
because
+ it allows greater direct manipulation of Tomcat's internal data structures
+ than the HTTP connectors. Particular attention should be paid to the values
+ used for the <code>address</code>, <code>secret</code>,
+ <code>secretRequired</code> and
<code>allowedArbitraryRequestAttributes</code>
+ attributes.</p>
+
<p>This connector supports load balancing when used in conjunction with
the <code>jvmRoute</code> attribute of the
<a href="engine.html">Engine</a>.</p>
@@ -468,7 +475,8 @@
<p>If this attribute is <code>true</code>, the AJP Connector will only
start if the <strong>secret</strong> attribute is configured with a
non-null, non-zero length value. The default value is <code>true</code>.
- </p>
+ This attributue should only be set to <code>false</code> when the
+ Connector is used on a trusted network.</p>
</attribute>
<attribute name="tcpNoDelay" required="false">
diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml
index a9b2ec8..5961cd0 100644
--- a/webapps/docs/security-howto.xml
+++ b/webapps/docs/security-howto.xml
@@ -249,6 +249,14 @@
<p>By default, a non-TLS, HTTP/1.1 connector is configured on port 8080.
Connectors that will not be used should be removed from server.xml.</p>
+ <p>AJP Connectors should only be used on trusted networks or be
+ appropriately secured with a suitable <code>secret</code> attribute.</p>
+
+ <p>AJP Connectors block forwarded requests with unknown request
+ attributes. Known safe and/or expected attributes may be allowed by
+ configuration an appropriate regular expression for the
+ <code>allowedArbitraryRequestAttributes</code> attribute.</p>
+
<p>The <strong>address</strong> attribute may be used to control which IP
address a connector listens on for connections. By default, a connector
listens on all configured IP addresses.</p>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
