This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new ebc78c0a3b Expand on security consequences of AJP being clear-text
ebc78c0a3b is described below
commit ebc78c0a3b3b5d5c736c306254815736167e0e86
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Fri Sep 6 09:05:36 2024 +0100
Expand on security consequences of AJP being clear-text
---
webapps/docs/security-howto.xml | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml
index 57001b806f..fc7d7290a7 100644
--- a/webapps/docs/security-howto.xml
+++ b/webapps/docs/security-howto.xml
@@ -249,8 +249,11 @@
<p>By default, a non-TLS, HTTP/1.1 connector is configured on port 8080.
Connectors that will not be used should be removed from server.xml.</p>
- <p>AJP Connectors should only be used on trusted networks or be
- appropriately secured with a suitable <code>secret</code> attribute.</p>
+ <p>AJP is a clear text protocol. AJP Connectors should normally only be
+ used on trusted networks. If used on an untrusted network, use of the
+ <code>secret</code> attribute will limit access to authorised clients but
+ the <code>secret</code> attribute will be visible to anyone who can
+ observe network traffic.</p>
<p>AJP Connectors block forwarded requests with unknown request
attributes. Known safe and/or expected attributes may be allowed by
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
