Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-28703

Fix Tomcat AJP

    XMLWordPrintable

    Details

    • Tags:
    • Impact type:
      Configuration Change
    • Upgrade notes:
      Hide

      For security reasons (CVE-2020-1938), AJP is now disabled by default. To re-enabled it, the following properties must be defined:

      nuxeo.server.ajp.enabled=true
nuxeo.server.ajp.secretRequired=true
nuxeo.server.ajp.secret=changeme

      The secret must also be mentioned in the mod_proxy_ajp configuration, see https://httpd.apache.org/docs/trunk/mod/mod_proxy_ajp.html for more.

      If one is sure that the AJP port cannot be accessed by any untrusted hosts, then the following configuration is possible:

      nuxeo.server.ajp.enabled=true
nuxeo.server.ajp.secretRequired=false
      Show
      For security reasons (CVE-2020-1938), AJP is now disabled by default. To re-enabled it, the following properties must be defined: nuxeo.server.ajp.enabled=true nuxeo.server.ajp.secretRequired=true nuxeo.server.ajp.secret=changeme The secret must also be mentioned in the mod_proxy_ajp configuration, see https://httpd.apache.org/docs/trunk/mod/mod_proxy_ajp.html for more. If one is sure that the AJP port cannot be accessed by any untrusted hosts, then the following configuration is possible: nuxeo.server.ajp.enabled=true nuxeo.server.ajp.secretRequired=false
    • Team:
      FG
    • Sprint:
      nxFG 11.1.12

      Description

      Since Tomcat 9.0.31 (master, 10.10-HF23) and Tomcat 8.5.51 (9.10-HF41) the AJP connector, which has been commented-out in default Tomcat, now starts in error in Nuxeo:

      2020-02-25 18:15:57.241 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to start component [Connector[AJP/1.3-8009]]
	org.apache.catalina.LifecycleException: Protocol handler start failed
		at org.apache.catalina.connector.Connector.startInternal(Connector.java:1038)
		at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
		at org.apache.catalina.core.StandardService.startInternal(StandardService.java:438)
		at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
		at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:930)
		at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
		at org.apache.catalina.startup.Catalina.start(Catalina.java:633)
		at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
		at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
		at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
		at java.base/java.lang.reflect.Method.invoke(Method.java:566)
		at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343)
		at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474)
	Caused by: java.lang.IllegalArgumentException: The AJP Connector is configured with secretRequired="true" but the secret attribute is either null or "". This combination is not valid.
		at org.apache.coyote.ajp.AbstractAjpProtocol.start(AbstractAjpProtocol.java:264)
		at org.apache.catalina.connector.Connector.startInternal(Connector.java:1035)
		... 12 more

      See https://www.mail-archive.com/announce@tomcat.apache.org/msg00398.html for more.

        Attachments

          Issue Links

          causes

          Task - A task that needs to be done. NXP-29204 Fix AJP connector when secret is not required

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved
          is caused by

          Task - A task that needs to be done. NXP-28655 Upgrade Tomcat to 8.5.51

          • Blocker - Blocks development and/or testing work, production could not run.
          • Resolved

          Task - A task that needs to be done. NXP-28656 Upgrade Tomcat to 9.0.31

          • Blocker - Blocks development and/or testing work, production could not run.
          • Resolved

          Task - A task that needs to be done. NXP-28657 Upgrade Tomcat to 9.0.31

          • Blocker - Blocks development and/or testing work, production could not run.
          • Resolved
          is duplicated by

          Improvement - An improvement or enhancement to an existing feature or task. NXP-16571 Disable AJP protocol by default

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved
          Is referenced in

          [Captain Hook] PR for master: #4165 PR for master: #4165

          [Captain Hook] PR for master: #4294 PR for master: #4294

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: