-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 3/4/20 05:55, Dave Ford wrote: > On Fri, 2020-02-28 at 13:39 +0000, Rathore, Rajendra wrote: >> Caused by: java.lang.IllegalArgumentException: The AJP Connector >> is configured with secretRequired="true" but the secret attribute >> is either null or "". This combination is not valid. > > Are you talking to this via an apache webserver using > mod_proxy_ajp? Only, the current stable release of apache (2.4.41) > doesn't support 'secret' AFAIK. > > See > > https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html > > and > > https://bz-he-de.apache.org/bugzilla/show_bug.cgi?id=53098 > > Note the above 'bug' in Apache is only 12 years old :-( It is actually just under 8 years old. The initial release of Apache httpd 2.4 was on 2012-02-21 and this enhancement request was filed by Dmitry on 2012-04-18, 2 months later. The httpd team takes stability VERY seriously and it looks like there was basically zero interest in applying this patch for the following (nearly) 8 years. Most AJP connections are being used as a proxying protocol across "trusted" networks, and so the whole "secret" thing is just a small band-aid to keep unauthorized users out. The "secret" provides about as much security as putting a sign on the front door of your home which says "please don't come in unless invited," and then not bothering to put a lock on the door. If you are considering locking-down your AJP endpoints by requiring a "secret" then you are probably not really locking-down your AJP endpoints. You are only pretending to do so. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5ikh8ACgkQHPApP6U8 pFjKyg//ZcmxLCDOobzXBldG3kzuMKTdiaVaCLmsf7AkD9AaTAU/Fu936vd2lxp9 6VoMicN7oCPXyYYpWvAyN7iSqNtDlv4wnNpvxI8PzC9ugdNRsjJ257mMzNxpw6PN y1YPIbTOSiEvc/3i0ieZz/MoMMUiPvGEK2z/7fERnWPQxCCEmzROqoMZ2llEDPrx xMMl2hjUwDZIEfxC7O4t0sL3FBlDk/vlYqbxY36zaA8XqlYwKGWdwghkzTnl8L4w 5Qt4PhZDSlkjQq4MP6FETc22lri0ccW9gr0M77xceuEh1jg5jhwfgu1t8rD47OZU HauCFILgXK/Pmvel7HYdBz1HOM6lC+NB5m5DPjg6b3jNW2cuK5akysqrBlZXPEZy 0cqkNzA4erlc1GnwlGzd6ZdH63euJB4afQxvM2OsDxEJrqajZVst88gQIQ5rfxb8 bzn+Sw0uWjKXW/X9OmW8UORRNjL7YnU+oFZuTAlLPts1X71OQ+ikvOmCgsGlY4U+ dERxZGZUQWoQUCFN9KNJaZvdoWssIGTe0tN1Hix/OT8HvSp5eLU3MdgbDe0p28zW zgaYYRIgQ6NkaWFoByAcLihumNaWE6fKJMn/rqQQGYof1a6WMVv+QZwK3EpTYCRx sZ8ql0FiscazKvo1Em1DZiix19O3AtIPibOSl0OtQKUnZAaKinY= =l0o1 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org