tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dan Milstein <>
Subject Ajp13 Security
Date Fri, 01 Dec 2000 19:18:25 GMT

I'm working on documenting ajp13, and I'm noticing that there doesn't seem to be any authentication
step between the web server and the servlet container (in contrast to ajp11 and ajp12, both
of which I believe had some sort of shared secret-based authenication step when opening up
a TCP connection).

Can anyone comment on this?  Was this a deliberate choice?  I've done some searching through
the mailing list archives with no great success.

The scenario I'm imagining is:

 - Administrator sets up Apache, mod_jk and Tomcat (on the same machine, say).  By default,
mod_jk and Tomcat communicate over port 8008 (I think).  Because the admin doesn't know any
better (and because the docs don't specify this), they don't set up their firewall to block
traffic to that port.

 - Attacker can then open up connections directly to Tomcat, pretending to be Apache, and
can specify such things as 'remote_user', which, for some web apps, would convince Tomcat
that Apache had successfully authenticated the user.

What do you all think?



Dan Milstein //

View raw message