This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/11.0.x by this push:
new e9a1f62317 Expand on security consequences of AJP being clear-text
e9a1f62317 is described below
commit e9a1f6231747f62f7d329e3f2f7afa9ec9a3352e
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Fri Sep 6 09:05:36 2024 +0100
Expand on security consequences of AJP being clear-text
---
webapps/docs/security-howto.xml | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml
index 6a371820e7..20bd81f062 100644
--- a/webapps/docs/security-howto.xml
+++ b/webapps/docs/security-howto.xml
@@ -216,8 +216,11 @@
<p>By default, a non-TLS, HTTP/1.1 connector is configured on port 8080.
Connectors that will not be used should be removed from server.xml.</p>
- <p>AJP Connectors should only be used on trusted networks or be
- appropriately secured with a suitable <code>secret</code> attribute.</p>
+ <p>AJP is a clear text protocol. AJP Connectors should normally only be
+ used on trusted networks. If used on an untrusted network, use of the
+ <code>secret</code> attribute will limit access to authorised clients but
+ the <code>secret</code> attribute will be visible to anyone who can
+ observe network traffic.</p>
<p>AJP Connectors block forwarded requests with unknown request
attributes. Known safe and/or expected attributes may be allowed by
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
