tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject Re: Ajp13 Security
Date Fri, 01 Dec 2000 21:19:44 GMT
> I'm working on documenting ajp13, and I'm noticing that there doesn't seem to be any authentication
step between the web server and the servlet container (in contrast to ajp11 and ajp12, both
of which I believe had some sort of shared secret-based authenication step when
> opening up a TCP connection).

Great ! 

> Can anyone comment on this?  Was this a deliberate choice?  

Except on case, all AJP13 request ( and AJP12, AJP11 as well ) are
equivalent with the HTTP request sent by the user ( in a binary format
that is easier to parse ).

There is no difference between a user sending an arbitrary HTTP request to
the server and the user sending the same request encoded as AJP13.
The "exceptional" case is the shutdown message - where only localhost is
It is not difficult to add a check, and it will become very important when
the protocol will be extended with real callbacks ( i.e. will be more than
a proxy ) and will use the "pre-processed" informations from the server.

For AJP13 the performance impact is minimal ( since it is reusing the
connection, and you need to authenticate only once ), for AJP12 it is a
significant pain ( but AJP12 is unlikely to support any advanced features,
so it'll act as a simple proxy protocol )

I don't think we have a problem right now, but it will become a real
problem if we add features to AJP13 - so the first feature should be
authentication :-).


View raw message