Re: AW: AW: AW: AJP Connector issue

Fri, 20 Mar 2020 08:53:25 -0700 

Hi Florian.

The log below shows clearly "The AJP Connector is configured with 
secretRequired="true"".
This probably comes from the fact that in your AJP Connector configuration, you 
either
- have an explicit secretRequired="true" attribute
or
- you do not mention this attribute, and it defaults to "true"
To get the previous behaviour (without secret), you now *must* specify : secretRequired="false". This is one of the changes in the latest tomcat versions compared to the previous one, and this was motivated by security reasons. 
So I doubt that there is any chance for that change to be reversed.


On 20.03.2020 13:49, Fritze, Florian wrote:

Just to make it clear what from my opinion the problem is:

SCHWERWIEGEND [main] org.apache.catalina.core.StandardService.startInternal 
Failed to start connector [Connector[AJP/1.3-8011]]
        org.apache.catalina.LifecycleException: Der Start des 
Protokoll-Handlers ist fehlgeschlagen
                at 
org.apache.catalina.connector.Connector.startInternal(Connector.java:1057)
                at 
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
                at 
org.apache.catalina.core.StandardService.startInternal(StandardService.java:440)
                at 
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
                at 
org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:766)
                at 
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
                at org.apache.catalina.startup.Catalina.start(Catalina.java:688)
                at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
                at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
                at java.lang.reflect.Method.invoke(Method.java:498)
                at 
org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343)
                at 
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474)
        Caused by: java.lang.IllegalArgumentException: The AJP Connector is configured with 
secretRequired="true" but the secret attribute is either null or "". This 
combination is not valid.
                at 
org.apache.coyote.ajp.AbstractAjpProtocol.start(AbstractAjpProtocol.java:274)
                at 
org.apache.catalina.connector.Connector.startInternal(Connector.java:1055)
                ... 12 more

This new "secretRequired" attribute prevents the Tomcat from starting 
flawlessly. It was first introduced with the Ghostcat release.
So this is a wish from me to the Tomcat developers: Please set this new 
attribute not mandatory but optional. So that I can run the newest Tomcat 
without this attribute which I do now with the pre-Ghostcat releases.

Have a nice weekend
Florian Fritze

--
Florian Fritze M.A.
Fraunhofer-Informationszentrum Raum und Bau IRB
Competence Center Research Services & Open Science
Nobelstr. 12, 70569 Stuttgart, Germany
Telefon +49 711 970-2713
florian.fri...@irb.fraunhofer.de | www.irb.fraunhofer.de


-----Ursprüngliche Nachricht-----
Von: André Warnier (tomcat/perl) <a...@ice-sa.com>
Gesendet: Freitag, 20. März 2020 13:34
An: users@tomcat.apache.org
Betreff: Re: AW: AW: AJP Connector issue

Ok, so it looks like :
- the request is effectively reaching tomcat, and that it is tomcat sending 
back the 403 response.
- the URL is "/", so presumably it is "well-formed" etc.

Furthermore, according to something you wrote below, both Apache httpd and 
tomcat are running on the same Linux host.

This reminds me vaguely of some issue previously (and recently) discussed on 
the list, with some request attributes which tomcat did not like..
But I do not remember ptecisely what the issue was, and it also seems to me 
that this concerned an IIS front-end, not Apache httpd.

Perhaps someone else on the list has a better idea.


Incidentally, it also seems that you are, in httpd, proxying *all* requests to 
tomcat.
Which raises the question of why you have a httpd front-end in the first place.
(But that's a later discussion maybe, let's first see why "/" doesn't work)


On 20.03.2020 11:07, Fritze, Florian wrote:

Here is the additional information:

The error page looks like Tomcat:

HTTP Status 403 – Forbidden

    _____

Type Status Report

Beschreibung Der Server hat die Anfrage verstanden, verbietet aber eine 
Autorisierung.

    _____

Apache Tomcat/8.5.53

The Apache HTTPD log file says:

- "" [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403 1042 "-" "Mozilla/5.0 
(Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 
Edg/80.0.361.69"

- "" [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico HTTP/1.1" 403 885 
"https://dev-fordatis.fraunhofer.de/"; "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 Edg/80.0.361.69"



The Tomcat says:

- - [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403 630

- - [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico HTTP/1.1" 403 630



The server on which all is running is:

Linux 5.3.0-42-generic #34~18.04.1-Ubuntu SMP Fri Feb 28 13:42:26 UTC
2020 x86_64 x86_64 x86_64 GNU/Linux



There is no new entry in the Apache HTTPD error.log concering these requests.



Help is appreciated

Florian Fritze

--

Florian Fritze M.A.

Fraunhofer-Informationszentrum Raum und Bau IRB

Competence Center Research Services & Open Science

Nobelstr. 12, 70569 Stuttgart, Germany

Telefon +49 711 970-2713

florian.fri...@irb.fraunhofer.de | www.irb.fraunhofer.de





-----Ursprüngliche Nachricht-----
Von: André Warnier (tomcat/perl) <a...@ice-sa.com>
Gesendet: Freitag, 20. März 2020 10:14
An: users@tomcat.apache.org
Betreff: Re: AW: AJP Connector issue



On 20.03.2020 08:23, Fritze, Florian wrote:


Hello Chris,







thanks for the reply. Maybe I am doing something wrong, but setting



secretRequired="false" does not solve my issue. Let me show you what
I



did and experience: I added <Connector port="8011" protocol="AJP/1.3"



redirectPort="8443" secretRequired="false" /> to the Tomcat



configuration and the ajp connector on the Apache HTTPD side connects



to 8011. When I now visit my website I got HTTP Status 403 –
Forbidden




And just to make diagnosis a bit quicker : does that 403 error page look like 
an Apache httpd page, or a tomcat page ? (they look quite differemt in style).



Also, can you check both the httpd logs, and the tomcat logs for that
request, and check what they say ?  (compare by timestamnp and URI)



Also, under what OS does your front-end httpd run ?








I attached also the error page as a screenshot to this mail. This



behaviour exists only sice the Ghostcat fix release (I know that this



has nothing to do with security fix but probably with the release itself).







Thanks in advance



Florian







--



Florian Fritze M.A.



Fraunhofer-Informationszentrum Raum und Bau IRB Competence Center



Research Services & Open Science Nobelstr. 12, 70569 Stuttgart,



Germany Telefon +49 711 970-2713
florian.fri...@irb.fraunhofer.de<mailto:florian.fritze@irb.fraunhofer
.de> |



www.irb.fraunhofer.de<http://www.irb.fraunhofer.de>







-----Ursprüngliche Nachricht-----



Von: Christopher Schultz
<ch...@christopherschultz.net<mailto:ch...@christopherschultz.net>>



Gesendet: Donnerstag, 19. März 2020 20:14



An: users@tomcat.apache.org<mailto:users@tomcat.apache.org>



Betreff: Re: AJP Connector issue







-----BEGIN PGP SIGNED MESSAGE-----



Hash: SHA256







Florian,







On 3/19/20 07:43, Fritze, Florian wrote:



since the Tomcat release with the Ghostcat security fix (Tomcat



8.5.51) me as an admin have the problem using the



https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html module to



connect the Apache HTTPD with the Tomcat running on localhost. The



attribute secretRequired must be set to „true“ or „false“ with



„false“ set the connection is not possible between Tomcat and Apache HTTPD.







When you have set secretRequired="false", it's not possible to



connect? When you try to connect, what DOES happen?







With „true“ the Apache development is not ready in the current



version to work with the „secret“ attribute. Only the next version
of



Apache



2.4 supports this attribute.



Correct. Support for secret= in mod_proxy_ajp was evidently never



really a priority for anybody until now.







So I want to use the newest Tomcat version and an AJP connector but



after the Ghostcat fix release there is this attribute which does
not



work in my configuration.







Are there any suggestions or solutions available that you can
deliver



me (links or documentation, etc.)







secretRequired="false" should be all you need.







Of course, to be truly secure, you need to make sure that not just



anybody can make requests through your AJP interface. Have you
secured



that interface from potential evildoers?







- -chris



-----BEGIN PGP SIGNATURE-----



Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/







iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5zxHsACgkQHPApP6U8



pFjf7Q/+Ixbc10KYI07Wb1pdzQajVtw88BcfSZ3dfam2Q9aj2IhZJD5GUTzszAGC



bs6eySKEh5vqaHq+oy2ZOuv2f1xxukPQ3/XfmIEUb83G7QScwlMf0r5dth9uslcq



cUgHFkpGhSQghB2yhZSzKMzF7gjRY9QI0S5EpEHTQ45CUvREWr4GRyLndkjTbu2C



rhdB+8ud4iErWJe1Er0NEqOgoVL8Ceed4BGRYzoT7+lN1dRE4MFIn8ALdVzAvo4L



9ZIm+zawSkx7jUTAGDi4wHd2KrewR9kqJybovZaACx/yc6IF1Sv+DaWlTUDdabE2



qrSl45mA4EdLCeH1wfbZ62IhErbxvLahygAwgYSeMfhv02vzBbmn8bXY4yg359ln



aO2AV3xNbxFrF56XatRGIJ+3/ETh2oIv0PLnJEr8xc3CcwdJ+rn8c9i84ZZLnHb6



iTl+Gx9pCUbtH0qCILzLzj7Js9yl13o9AVu3UQ9UxY9BNxkFiKKBe4YfGUev2iiB



Vx1Zw6S6/ByjhUpzaSEciSYCkr+pR61iOJpCN9B3tnpv4cRgkqwPWEPgMFDtvFT9



ciwpDuN+O2YPPE0Z39tSy64Ge2QWyPkvb8hVZUEZGVMRmQ1W5LhDJhNxECklxKOh



sZPFkji5aVOxj6TT5vwqQDov+FyU2pV5/HRD4fe/vr8vdKj+vec=



=CYi0



-----END PGP SIGNATURE-----







---------------------------------------------------------------------



To unsubscribe, e-mail:
users-unsubscr...@tomcat.apache.org<mailto:users-unsubscribe@tomcat.a
pache.org>



For additional commands, e-mail:
users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org>










---------------------------------------------------------------------

To unsubscribe, e-mail:
users-unsubscr...@tomcat.apache.org<mailto:users-unsubscr...@tomcat.ap
ache.org>

For additional commands, e-mail:
users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org>






---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to