httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 53098] mod_proxy_ajp: patch to set worker secret passed to tomcat
Date Tue, 12 Apr 2016 10:31:41 GMT
https://bz.apache.org/bugzilla/show_bug.cgi?id=53098

--- Comment #13 from Yann Ylavic <ylavic.dev@gmail.com> ---
(In reply to jdennis@redhat.com from comment #12)
> Now back to the actual topic of this bug. A simple non-controversial patch
> has been available since this bug was opened 4 years ago. Yet 4 years later
> it still has not been applied. Why?

Maybe because a stronger authentication method is possible by using an https
connector? Not ajps though (I stand corrected!), but AFAICT current Tomcat
versions can be configured to use https and hence TLS authentication.

Please keep in mind that committers are volunteer here, with limited time
devoted to most important tasks, in their opinion...

The point is, IMHO, that a secret sent in clear text in not very secure.
Either the network between httpd and tomcat is controlled and an (week)
authentication is not needed, or the network is unsafe and a stronger
authentication is required.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message