https://bz.apache.org/bugzilla/show_bug.cgi?id=64180
Bug ID: 64180
Summary: secretRequred=false is ignored if secret=<anything>
Product: Tomcat 9
Version: 9.0.31
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Connectors
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: -----
I have defined my server.xml as follows to allow the ajp.secretRequired and
ajp.secret values as command line properties so I don't have to edit the
server.xml on each server.
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector protocol="AJP/1.3"
address="${ajp.address}"
connectionTimeout="20000"
acceptCount="100"
maxThreads="1600"
minSpareThreads="100"
port="8009"
redirectPort="8443"
secretRequired="${ajp.secretRequired}"
secret="${ajp.secret}"
/>
If ajp.secretRequired=true and ajp.secret is set to something it all works as
expected. However, if ajp.secretRequired=false and ajp.secret="" (or is not
set at all) the AJP connector still requires the secret to be passed.
Steps to reproduce:
1. Set secretRequired=false secret="" in the server.xml
2. Try to connect from a client that does not pass a secret
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
