-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


On 3/4/20 05:55, Dave Ford wrote:
> On Fri, 2020-02-28 at 13:39 +0000, Rathore, Rajendra wrote:
>> Caused by: java.lang.IllegalArgumentException: The AJP Connector
>> is configured with secretRequired="true" but the secret attribute
>> is either null or "". This combination is not valid.
>
> Are you talking to this via an apache webserver using
> mod_proxy_ajp? Only, the current stable release of apache (2.4.41)
> doesn't support 'secret' AFAIK.
>
> See
>
> https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html
>
> and
>
> https://bz-he-de.apache.org/bugzilla/show_bug.cgi?id=53098
>
> Note the above 'bug' in Apache is only 12 years old :-(

It is actually just under 8 years old.

The initial release of Apache httpd 2.4 was on 2012-02-21 and this
enhancement request was filed by Dmitry on 2012-04-18, 2 months later.

The httpd team takes stability VERY seriously and it looks like there
was basically zero interest in applying this patch for the following
(nearly) 8 years.

Most AJP connections are being used as a proxying protocol across
"trusted" networks, and so the whole "secret" thing is just a small
band-aid to keep unauthorized users out.

The "secret" provides about as much security as putting a sign on the
front door of your home which says "please don't come in unless
invited," and then not bothering to put a lock on the door.

If you are considering locking-down your AJP endpoints by requiring a
"secret" then you are probably not really locking-down your AJP
endpoints. You are only pretending to do so.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5ikh8ACgkQHPApP6U8
pFjKyg//ZcmxLCDOobzXBldG3kzuMKTdiaVaCLmsf7AkD9AaTAU/Fu936vd2lxp9
6VoMicN7oCPXyYYpWvAyN7iSqNtDlv4wnNpvxI8PzC9ugdNRsjJ257mMzNxpw6PN
y1YPIbTOSiEvc/3i0ieZz/MoMMUiPvGEK2z/7fERnWPQxCCEmzROqoMZ2llEDPrx
xMMl2hjUwDZIEfxC7O4t0sL3FBlDk/vlYqbxY36zaA8XqlYwKGWdwghkzTnl8L4w
5Qt4PhZDSlkjQq4MP6FETc22lri0ccW9gr0M77xceuEh1jg5jhwfgu1t8rD47OZU
HauCFILgXK/Pmvel7HYdBz1HOM6lC+NB5m5DPjg6b3jNW2cuK5akysqrBlZXPEZy
0cqkNzA4erlc1GnwlGzd6ZdH63euJB4afQxvM2OsDxEJrqajZVst88gQIQ5rfxb8
bzn+Sw0uWjKXW/X9OmW8UORRNjL7YnU+oFZuTAlLPts1X71OQ+ikvOmCgsGlY4U+
dERxZGZUQWoQUCFN9KNJaZvdoWssIGTe0tN1Hix/OT8HvSp5eLU3MdgbDe0p28zW
zgaYYRIgQ6NkaWFoByAcLihumNaWE6fKJMn/rqQQGYof1a6WMVv+QZwK3EpTYCRx
sZ8ql0FiscazKvo1Em1DZiix19O3AtIPibOSl0OtQKUnZAaKinY=
=l0o1
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to