-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 André,
On 3/19/20 10:57, André Warnier (tomcat/perl) wrote: > For example : - if all your pairs of httpd server/tomcat server are > running on the same host, then you do not really have a security > issue, and adding a secret will not really bring any additional > security - if all your pairs of httpd server/tomcat server are > communicating only over an internal (presumed to be fairly safe) > network, then you do have a limited security issue (limited by how > "safe" your internal network really is), and a secret may help a > bit in reducing this already limited security issue - if you have > pairs of httpd/tomcat which communicate over a public network, then > you do have a security issue, and adding a secret will help, but it > is not going to make that security issue really disappear (*). If you have naked AJP traversing a public network then you are very much doing it wrong and have zero privacy or security. Adding a secret will only expose the secret to anyone who cares to look. > (*) the secret, if correctly implemented, will block any other host > than your own hosts from connecting to the tomcat AJP Connector, > and thus from "abusing" your tomcats by sending them invalid or > malicious requests. AJP allows the client to present a secret to the server, but it does so insecurely. Any attacker who can see your AJP traffic can also see the secret. So adding a secret doesn't really add security in any meaningful way. Instead of adding a door lock, it instead adds a note saying "please don't open this door unless you are allowed to do so." - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5zxW8ACgkQHPApP6U8 pFgjyQ//ZrfYJS2LtqKBrZt0Zj3UlzuclNkZJ+48hcbKuaNo9oUHoUS9HtJG+vqv id2kwQZYfgWXtsJiEGLqPL6OytULqTMYW7TOj5WqxIqYtlIvwMis4eB8qvql3W08 cQex0qpGWIaxmw05hxN8hg8VABpG5blKmQfTJ6KyDY0G5xSHZXBMyXn0WMth6zNp xgNXksTEu/CMWOr8rgIH5x6+0/mjv5XM7VA4mBxUuk6HZhJ1+62GMR7Ame5pjbKF lyT85eU4Qhe1zZPyMoVbabLvNg2U44iC3rAqXGgQ5ZEr/Ky8EQMePQazgDpBKeG0 Kpsxb7HY3Z/O6+kY3S15tbt2b/A9DgbR41MJnw3KcUzR0/3wq/5lOHyBSV8N63ug qvQdycBrb2pxfZPBBGPI0XvG3IqzdKqtWpmQAq6SBmZ0JAHGp2go9l4eE9kDxcDU h7KeiNrE8LKO6Ijnth4FbmZOWNkMWwF22fAIeDrE1eQJL2SLE3h2+UHbK+qR8Bk3 Sby9FTSZ+2SoIXgSwc+jQyfpn7HtIqmYqPHhzSlIQJtz/ANHkiG59X+g3epgdnn/ GyBTFrOsirWaQGOJHh/nAE/z6YbhHhTl0hmxNKG1EBwyfDH7+zHRtl+E4Nk1Mkzu dBNGM2clPrGwDLXTEc44OGpsgaU4QZqhGY29g2qt1xN9r0O40A0= =GSne -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org