In 3.x, the Ajp12 and Ajp13 Connectors currently accept connections from
anywhere. People have proposed adding the ability to have an accept/deny
list in the configs, but it hasn't been done (the Java code for this would
be pretty easy, actually), and it would be backward compatible with the
mod_jk C code (which wouldn't need to know about it at all, actually).
As a minimal form of security, both connectors will only accept a shutdown
if it issued from the same host as TC is running on (e.g. if
socket.getLocalAddress and socket.getInetAddress are the same). Costin
recently added an optional 'secret' -- either user-set or randomly generated
by TC. If user-set, it can be added to worker.properties (I think), or if
randomly generated, it can be read from a specific file in the config dir
(the same way that httpd.pid can be read by apachectl). If useSecret is
set, then the shutdown request is only acted on if it is followed by the
secret.
I don't know if Costin has documented this or not -- I haven't looked.
With ajp13, the server is basically proxying requests, so some security
issues don't arise. The biggest gotcha I'm aware of is that TC trusts the
web server to establish the remote_user property (which the user might need
to authenticate to prove). So someone could manufacture an ajp13 connection
which would allow them to access servlets that they should be denied. I
haven't actually created this exploit, but I believe the vulnerability is
there.
The spec for the Ajp2.1 (which was not, AFAIK, ever implemented) has an
excellent section discussing "Security Hazards". Anyone interested can
check that out at:
http://java.apache.org/jserv/protocol/AJPv21.html
-Dan
Glenn Nielsen wrote:
>
> I have a general question about restricting access from remote hosts
> to common connectors used by Tomcat 3.x and Tomcat 4.0.
>
> Tomcat 3.x will use port 8007 for its Apache ajp12 connector, is there anyway
> to configure Tomcat 3.x so it will only accept connections on that port
> from localhost or a single remote host? What about shutdown, does the
> port only accept requests from localhost?
>
> Tomcat 4.0 will use port 8005 as its shutdown port, will this only accept
> connections from localhost? Is this configurable?
>
> Tomcat 4.0 will use port 8008 for its Warp Connector. Can this be filtered
> using the Request Filter Valve? The docs for the Request Filter refer to
> denying HTTP requests.
>
> Regards,
>
> Glenn
>
> ----------------------------------------------------------------------
> Glenn Nielsen [EMAIL PROTECTED] | /* Spelin donut madder |
> MOREnet System Programming | * if iz ina coment. |
> Missouri Research and Education Network | */ |
> ----------------------------------------------------------------------
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, email: [EMAIL PROTECTED]
--
Dan Milstein // [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
