> I'm working on documenting ajp13, and I'm noticing that there doesn't seem to be any
>authentication step between the web server and the servlet container (in contrast to
>ajp11 and ajp12, both of which I believe had some sort of shared secret-based
>authenication step when
> opening up a TCP connection).
Great !
> Can anyone comment on this? Was this a deliberate choice?
Except on case, all AJP13 request ( and AJP12, AJP11 as well ) are
equivalent with the HTTP request sent by the user ( in a binary format
that is easier to parse ).
There is no difference between a user sending an arbitrary HTTP request to
the server and the user sending the same request encoded as AJP13.
The "exceptional" case is the shutdown message - where only localhost is
allowed.
It is not difficult to add a check, and it will become very important when
the protocol will be extended with real callbacks ( i.e. will be more than
a proxy ) and will use the "pre-processed" informations from the server.
For AJP13 the performance impact is minimal ( since it is reusing the
connection, and you need to authenticate only once ), for AJP12 it is a
significant pain ( but AJP12 is unlikely to support any advanced features,
so it'll act as a simple proxy protocol )
I don't think we have a problem right now, but it will become a real
problem if we add features to AJP13 - so the first feature should be
authentication :-).
Costin
