This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 7.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/7.0.x by this push: new 0d4255d Fix AJP Connector when requests forwarded from IIS originally use TLS 0d4255d is described below commit 0d4255dabddcc0dddf58c75dc258b8aeca38d232 Author: Mark Thomas <ma...@apache.org> AuthorDate: Wed Feb 26 12:34:11 2020 +0000 Fix AJP Connector when requests forwarded from IIS originally use TLS Add the TLS request attributes used by IIS to the attributes that an AJP Connector will always accept. --- java/org/apache/coyote/ajp/AbstractAjpProcessor.java | 16 ++++++++++++++++ webapps/docs/changelog.xml | 8 ++++++++ webapps/docs/config/ajp.xml | 9 +++++++++ 3 files changed, 33 insertions(+) diff --git a/java/org/apache/coyote/ajp/AbstractAjpProcessor.java b/java/org/apache/coyote/ajp/AbstractAjpProcessor.java index e68b458..5be3af1 100644 --- a/java/org/apache/coyote/ajp/AbstractAjpProcessor.java +++ b/java/org/apache/coyote/ajp/AbstractAjpProcessor.java @@ -85,6 +85,7 @@ public abstract class AbstractAjpProcessor<S> extends AbstractProcessor<S> { private static final Set<String> javaxAttributes; + private static final Set<String> iisTlsAttributes; static { @@ -135,6 +136,18 @@ public abstract class AbstractAjpProcessor<S> extends AbstractProcessor<S> { s.add("javax.servlet.request.ssl_session"); s.add("javax.servlet.request.X509Certificate"); javaxAttributes= Collections.unmodifiableSet(s); + + Set<String> iis = new HashSet<String>(); + iis.add("CERT_ISSUER"); + iis.add("CERT_SUBJECT"); + iis.add("CERT_COOKIE"); + iis.add("HTTPS_SERVER_SUBJECT"); + iis.add("CERT_FLAGS"); + iis.add("HTTPS_SECRETKEYSIZE"); + iis.add("CERT_SERIALNUMBER"); + iis.add("HTTPS_SERVER_ISSUER"); + iis.add("HTTPS_KEYSIZE"); + iisTlsAttributes = Collections.unmodifiableSet(iis); } @@ -893,6 +906,9 @@ public abstract class AbstractAjpProcessor<S> extends AbstractProcessor<S> { request.setAttribute(n, v); } else if (javaxAttributes.contains(n)) { request.setAttribute(n, v); + } else if (iisTlsAttributes.contains(n)) { + // Allow IIS TLS attributes + request.setAttribute(n, v); } else { // All 'known' attributes will be processed by the previous // blocks. Any remaining attribute is an 'arbitrary' one. diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 10d3845..66b009b 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -82,6 +82,14 @@ </fix> </changelog> </subsection> + <subsection name="Coyote"> + <changelog> + <fix> + Add the TLS request attributes used by IIS to the attributes that an AJP + Connector will always accept. (markt) + </fix> + </changelog> + </subsection> </section> <section name="Tomcat 7.0.100 (violetagg)" rtext="released 2020-02-14"> <subsection name="Catalina"> diff --git a/webapps/docs/config/ajp.xml b/webapps/docs/config/ajp.xml index b3dd171..43f202d 100644 --- a/webapps/docs/config/ajp.xml +++ b/webapps/docs/config/ajp.xml @@ -321,6 +321,15 @@ <li>AJP_REMOTE_PORT</li> <li>AJP_SSL_PROTOCOL</li> <li>JK_LB_ACTIVATION</li> + <li>CERT_ISSUER (IIS only)</li> + <li>CERT_SUBJECT (IIS only)</li> + <li>CERT_COOKIE (IIS only)</li> + <li>HTTPS_SERVER_SUBJECT (IIS only)</li> + <li>CERT_FLAGS (IIS only)</li> + <li>HTTPS_SECRETKEYSIZE (IIS only)</li> + <li>CERT_SERIALNUMBER (IIS only)</li> + <li>HTTPS_SERVER_ISSUER (IIS only)</li> + <li>HTTPS_KEYSIZE (IIS only)</li> </ul> <p>The AJP protocol supports the passing of arbitrary request attributes. Requests containing arbitrary request attributes will be rejected with a --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org