Hi, >> If it is, what is the recommended mitigation? We consider using the >> "secret" feature (the filtering by request attributes is infeasible >> for us), but that would be a bit of effort and we are in a hurry. >> > >We're in the same position as you. External web servers talking to >Tomcat servers on other boxes via AJP. > >We've looked at a few options, none of which seemed great: > >* The current stable version of Apache doesn't support the 'secret' >attribute for AJP connectors in mod_proxy.
we will use the "secret" approach. Since we use mod_jk which supports it, this will offer the least trouble when deploying in customer environments. We will generate a random secret for each tomcat instance. Since our apps already register in our service registry,we can just add the secret there. Our Apache HTTPD resp. a little tooling we wrote for it that generates the Apache config from information in the registry and can pick up the secret from there as well. Regards JG --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
