This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new 7d7b4bc929 Expand on security consequences of AJP being clear-text
7d7b4bc929 is described below
commit 7d7b4bc929b9a3d6c28e63cf674e39a1284c2aba
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Fri Sep 6 09:05:36 2024 +0100
Expand on security consequences of AJP being clear-text
---
webapps/docs/security-howto.xml | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml
index e6a5e11809..c5ba633148 100644
--- a/webapps/docs/security-howto.xml
+++ b/webapps/docs/security-howto.xml
@@ -249,8 +249,11 @@
<p>By default, a non-TLS, HTTP/1.1 connector is configured on port 8080.
Connectors that will not be used should be removed from server.xml.</p>
- <p>AJP Connectors should only be used on trusted networks or be
- appropriately secured with a suitable <code>secret</code> attribute.</p>
+ <p>AJP is a clear text protocol. AJP Connectors should normally only be
+ used on trusted networks. If used on an untrusted network, use of the
+ <code>secret</code> attribute will limit access to authorised clients but
+ the <code>secret</code> attribute will be visible to anyone who can
+ observe network traffic.</p>
<p>AJP Connectors block forwarded requests with unknown request
attributes. Known safe and/or expected attributes may be allowed by
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
