-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Dave,
On 3/5/20 06:21, Dave Ford wrote: > On Wed, 2020-03-04 at 13:19 -0500, Christopher Schultz wrote: >> >>> We're in the same position as you. External web servers >>> talking to Tomcat servers on other boxes via AJP. >> >> Are those connections properly secured? > > That's not a tremendously helpful question. Which connections are > you talking about? How do you propose 'securing' an AJP > connection? There are many ways, the most obvious being mutually-authenticated TLS using something like stunnel. Or do you usually just allow plain-text protocol communication over open networks? >> If your connections are properly-secured, simply set >> secretRequired="false" and move on. If they aren't >> properly-secured, then you need to fix that (and you had to fix >> that before this recent announcement). > > Can you point the ill-informed amongst us to any helpful resources > you may have that describe what you mean by 'properly secured'? Imagine that you are using HTTP as a proxying protocol and that the origin server takes special HTTP headers and converts those into e.g. client connection information, authentication details (e.g. username + "yep they are authenticated! trust me!), and request attributes and just goes ahead and trusts them. Now, how are you going to secure that connection to make sure that an adversary doesn't inject Bad Stuff into your origin server? There is nothing special about AJP that makes it any different in terms of securing, except that there is no ajps:// protocol. If you want ajps:// you have to tunnel ajp:// through something else, which is why I recommend stunnel. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5hliAACgkQHPApP6U8 pFibMw//X4OdYQFSeh+BM9F+1tuErCHYW4TJmhL+Q1TrxZQfSWVS/IOHm0zjK/Pj shP4RfCSlbEsvo/Ia82l4nqm2dHqHiVkty2OwLlbtoyr7B50uh5siZkRpuQ8tonY WCrq5N37R9ean3mP9kNnm3gw7UJPudy2iSS7Qv37k4QaGLNqekUGXEALSX0TubE8 wGMfNwcAKftibfEYfbJbgdKPdaHH0qnB4m051tK0LoJzdbf/zNLJsYglySD2fO+q lO9eKpvnav/OhJoQtWmIiJxWPnC4WqvtcbYWBSXGjxDDO+36vpV5pyCgaL54XmbO 7aVzWJBJ+k20y+61lL55abl39tNOg0bGJgW9WNx8dOsZezfsaBuVgsMIVrQx8wmm GVlZJsxttVFjUvBuVtSW3RW5pZ44tW1JiVg1gFMYCYVqZ/8K4vDtKAMTFGo4Kj+K O4+Y2PSUutV2o6c2ejYzwn22BdvPRpOWVjApqTdI3Sxt6tQELIhKxuo9QCuOA3w0 332hj37LSX7EeT9D1lknHELrHToiOttr+Rj+4uYtmqqI1JPTJZFKyZIxh5C/pVAn vfySiyK9c5U7mSrJsKKYnyaZY1L3CXv4vUkSPiJTlwPOSD8qHblV6rvj/BQ9+U3t 1FI/TqA8/rukHGxZ7ncnoonQEZmScMWpTTOPcmgunBCGHBJJnnE= =qFiH -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
