This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/master by this push: new 235666f Fix AJP Connector when requests forwarded from IIS originally use TLS 235666f is described below commit 235666fe9db4c58e4ba06f41732d96f900544269 Author: Mark Thomas <ma...@apache.org> AuthorDate: Wed Feb 26 12:34:11 2020 +0000 Fix AJP Connector when requests forwarded from IIS originally use TLS Add the TLS request attributes used by IIS to the attributes that an AJP Connector will always accept. --- java/org/apache/coyote/ajp/AjpProcessor.java | 18 ++++++++++++++++++ webapps/docs/changelog.xml | 4 ++++ webapps/docs/config/ajp.xml | 9 +++++++++ 3 files changed, 31 insertions(+) diff --git a/java/org/apache/coyote/ajp/AjpProcessor.java b/java/org/apache/coyote/ajp/AjpProcessor.java index ebe1353..9db523b 100644 --- a/java/org/apache/coyote/ajp/AjpProcessor.java +++ b/java/org/apache/coyote/ajp/AjpProcessor.java @@ -27,7 +27,9 @@ import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; import java.util.Collections; import java.util.HashMap; +import java.util.HashSet; import java.util.Map; +import java.util.Set; import java.util.regex.Matcher; import java.util.regex.Pattern; @@ -84,6 +86,7 @@ public class AjpProcessor extends AbstractProcessor { private static final Map<String,String> jakartaAttributeMapping; + private static final Set<String> iisTlsAttributes; static { @@ -138,6 +141,18 @@ public class AjpProcessor extends AbstractProcessor { m.put("javax.servlet.request.ssl_session", "jakarta.servlet.request.ssl_session"); m.put("javax.servlet.request.X509Certificate", "jakarta.servlet.request.X509Certificate"); jakartaAttributeMapping = Collections.unmodifiableMap(m); + + Set<String> s = new HashSet<>(); + s.add("CERT_ISSUER"); + s.add("CERT_SUBJECT"); + s.add("CERT_COOKIE"); + s.add("HTTPS_SERVER_SUBJECT"); + s.add("CERT_FLAGS"); + s.add("HTTPS_SECRETKEYSIZE"); + s.add("CERT_SERIALNUMBER"); + s.add("HTTPS_SERVER_ISSUER"); + s.add("HTTPS_KEYSIZE"); + iisTlsAttributes = Collections.unmodifiableSet(s); } @@ -754,6 +769,9 @@ public class AjpProcessor extends AbstractProcessor { // AJP uses the Java Servlet attribute names. // Need to convert these to Jakarta Servlet. request.setAttribute(jakartaAttributeMapping.get(n), v); + } else if (iisTlsAttributes.contains(n)) { + // Allow IIS TLS attributes + request.setAttribute(n, v); } else { // All 'known' attributes will be processed by the previous // blocks. Any remaining attribute is an 'arbitrary' one. diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index dd93f38..60c9097 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -79,6 +79,10 @@ Improve robustness of OpenSSLEngine shutdown. Based on code submitted by Manuel Dominguez Sarmiento. (remm) </fix> + <fix> + Add the TLS request attributes used by IIS to the attributes that an AJP + Connector will always accept. (markt) + </fix> </changelog> </subsection> <subsection name="Cluster"> diff --git a/webapps/docs/config/ajp.xml b/webapps/docs/config/ajp.xml index 9760e80..12b554d 100644 --- a/webapps/docs/config/ajp.xml +++ b/webapps/docs/config/ajp.xml @@ -330,6 +330,15 @@ <li>AJP_REMOTE_PORT</li> <li>AJP_SSL_PROTOCOL</li> <li>JK_LB_ACTIVATION</li> + <li>CERT_ISSUER (IIS only)</li> + <li>CERT_SUBJECT (IIS only)</li> + <li>CERT_COOKIE (IIS only)</li> + <li>HTTPS_SERVER_SUBJECT (IIS only)</li> + <li>CERT_FLAGS (IIS only)</li> + <li>HTTPS_SECRETKEYSIZE (IIS only)</li> + <li>CERT_SERIALNUMBER (IIS only)</li> + <li>HTTPS_SERVER_ISSUER (IIS only)</li> + <li>HTTPS_KEYSIZE (IIS only)</li> </ul> <p>The AJP protocol supports the passing of arbitrary request attributes. Requests containing arbitrary request attributes will be rejected with a --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org