>From what I have read, it seems that the AJP connector is not secure, and is >meant to be used in a protective environment. There are lots of things that >imply this, like no SSL settings and such, but I cannot find it directly >stated anywhere. I am pretty confident in my read of this, but it is, of >course, difficult to say that "all options have been explored and it is not >possible".
First of all, am I correct in my assertion that it cannot be made secure? And, if so, I would invite you (or us, the community!) to consider modifying the documentation to state this. Maybe something like: https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html The AJP Connector element represents a Connector component that communicates with a web connector via the AJP protocol. [This is an unencrypted connector, intended for use in protected enviroments.] This is used for cases where you wish to invisibly integrate Tomcat into an existing (or new) Apache installation, and you want Apache to handle the static content contained in the web application, and/or utilize Apache's SSL processing. Mark Claassen Senior Software Engineer Donnell Systems, Inc. 130 South Main Street Leighton Plaza Suite 375 South Bend, IN 46601 E-mail: mailto:mclaas...@ocie.net Voice: (574)232-3784 Fax: (574)232-4014 Disclaimer: The opinions provided herein do not necessarily state or reflect those of Donnell Systems, Inc.(DSI). DSI makes no warranty for and assumes no legal liability or responsibility for the posting.
