On 23.03.20 15:07, Mark Thomas wrote: > On 23/03/2020 14:02, Fritze, Florian wrote: >> Maybe I am making it too easy but if you or another tomcat developer could >> prevent the newest Tomcat from throwing this exception: >> >> org.apache.catalina.core.StandardService.startInternal Failed to start >> connector [Connector[AJP/1.3-8011]] >> org.apache.catalina.LifecycleException: Der Start des >> Protokoll-Handlers ist fehlgeschlagen >> at >> org.apache.catalina.connector.Connector.startInternal(Connector.java:1057) >> at >> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) >> at >> org.apache.catalina.core.StandardService.startInternal(StandardService.java:440) >> at >> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) >> at >> org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:766) >> at >> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) >> at org.apache.catalina.startup.Catalina.start(Catalina.java:688) >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> at >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) >> at >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >> at java.lang.reflect.Method.invoke(Method.java:498) >> at >> org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343) >> at >> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474) >> Caused by: java.lang.IllegalArgumentException: The AJP Connector is >> configured with secretRequired="true" but the secret attribute is either >> null or "". This combination is not valid. >> at >> org.apache.coyote.ajp.AbstractAjpProtocol.start(AbstractAjpProtocol.java:274) >> at >> org.apache.catalina.connector.Connector.startInternal(Connector.java:1055) >> ... 12 more >> >> This could solve the problem for me: Please just let the tomcat run through >> and do not let it check for the validation criterion. > Sorry, no. > > Research indicated that a large number of Tomcat users were running an > AJP connector in an insecure configuration. The Tomcat team made a > deliberate choice to break those configurations and require users to > make configuration changes either to secure those configurations or to > explicitly allow the insecure ones.
I applaude this decision. I believe that the error message is clear enough to point to the root cause - and with the public awareness of the Ghostcat vulnerability and necessity to patch, the release notes are quite clear about the changed defaults. The only change that I'd assume could help is to add a comment to server.xml, next to the commented-out AJP-Connector, that states: "This configuration isn't complete - read the documentation, particularly 'secretRequired', 'secret', ... to learn about the proper settings". But even if that doesn't go in, the necessary change should be found quickly given the above error message. Olaf --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
