Re: Problem with tomcat connector in IIS using tomcat 9.0.31

Wed, 04 Mar 2020 00:39:25 -0800 

On 04.03.2020 09:30, Stephen Hames wrote:

Hi Matthias,

I suspect your issue is: address="::"    You probably want
address="0.0.0.0" or the ipv4 IP address that your tomcat instance is
listening on.   :: allows any on IPv6, but for IPv4 I suspect that tomcat
would still be listening only on 127.0.0.1


But then, the error at the IIS level would be "connection refused", no ?
Not a tomcat response with a 403 status, as seems to happen below.
Or am I the confused one ?



Regards,
Stephen


On Wed, 4 Mar 2020 at 15:20, Matthias Fechner <ide...@fechner.net> wrote:


Dear all,

as tomcat version 9.0.31 has some security fixes included I tried to do
an upgrade.
On the IIS tomcat connector version 1.2.46 is installed.

As secret I use a 32 character long alpha numeric string, I name it here
token.
In the workers.properties I tried to define it on the load balancer
line:
worker.loadbalancer.secret=token

And/or on each node:
worker.node1.secret=token
...
worker.node2.secret=token

For the tomcat configuration I defined in server.xml the following AJP
connector:
      <Connector protocol="AJP/1.3"
                 address="::"
                 port="8009"
                 tomcatAuthentication="false"
                 enableLookups="false"
                 secret="token"
                 redirectPort="8443" />

But it does not work. It seems that tomcat does not answer here.
If I downgrade to tomcat 9.0.29 it works without any problems.

I started then wireshark and had a look into the traffic coming from the
IIS.
  From IIS is see a AJP13 connection with the following content in "Apache
JServ Protocol v1.3" part in wireshark:
...
Sec-Fetch-User: ?1
token
INTERNAL\user
Negotiate
...

as the token is here included the secret configuration is maybe correct.
The token is here equal to the token define on IIS-tomcat-connector and
the tomcat server.xml AJP definition.
Tomcat is sending back a "0:RSP:SEND HEADERS:403 403"

The IIS is doing authentication is is then just sending the user to
tomcat.

Regarding the documentation everything seems to be configured correctly,
but it does not work.
Could anyone help me here, please?

--
Thanks a lot
Matthias

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org







---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to