-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 André,
On 9/19/2011 8:43 AM, André Warnier wrote: > If your Tomcat server is accessible via other channels than from > the Apache front-end, then this is of course a security hole, since > anyone can forge such a HTTP header and send it to Tomcat. +1 > So I would only use this in conjunction with a RemoteAddress Valve, > or by having Tomcat listening only on a IP address which only the > Apache host can access. (Or encrypting/decrypting the header, but > that is more of a hassle). You could also use mod_headers to remove any X-Forwarded-User headers that come from the client before adding it yourself, but then you only protect against connections actually coming from your trusted servers. André's solution is better. > Essentially mod_jk and mod_proxy_ajp have the same issue, but the > AJP protocol is a bit more difficult to handle and play with, than > straight HTTP. Correct. You can't spoof trusted AJP info the way you can put just anything you want in the HTTP headers (at least, once you upgrade to the latest Tomcat that fixes CVE-2011-3190). - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk53XL0ACgkQ9CaO5/Lv0PCq2QCeP+JrYvtXQERoJ2y0bR+cqcPS paAAoJBVNlaEj1xXVPVRfX8/PGLckvST =hsix -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
