3

Because of the bug CVE-2020-1938 we want to use the latest Tomcat 7.0.100. See also CVE-2020-1938 We also use an Apache server in version 2.4, which connects to the Tomcat via AJP.

The latest Tomcat version requires various new settings for secure communication, which we have made. Unfortunately we always get the HTTP error 403 and don't know why.

In the Apache workers.properties we have the following settings:

worker.list=okkommwm57f ps=\ worker.okkommwm57f.type=ajp13 worker.okkommwm57f.host=192.168.181.240 worker.okkommwm57f.secret=123456 worker.okkommwm57f.port=8309 worker.okkommwm57f.socket_keepalive=1 worker.okkommwm57f.connect_timeout=10000 worker.okkommwm57f.prepost_timeout=10000 worker.okkommwm57f.socket_timeout=10 worker.okkommwm57f.connection_pool_timeout=600

The AJP connector configuration looks like this:

<Connector port="8309" protocol="AJP/1.3" redirectPort="8443" secretRequired="true" secret="123456" address="192.168.181.240" />

When I test the site, I keep getting the HTTP error 403. I have tried different versions, but to no avail. Have already set "secretRequired" to "false". Does not work too.

Maybe someone has an idea and can help me to solve the problem. Thank you.

Improve this question
1
  • You should check both Apache and Tomcat's logs. mod_proxy_ajp didn't support the secret value until Apache 2.5, so you should set secretRequired to false and remove the secret. Commented Mar 5, 2020 at 18:03

2 Answers 2

Reset to default
7

I had the same issue.

I had to add allowedRequestAttributesPattern=".*" to the connector

So in your case 

<Connector port="8309" protocol="AJP/1.3" redirectPort="8443" secretRequired="true" secret="123456" address="192.168.181.240" allowedRequestAttributesPattern=".*" />

This is a new attribute which has been added with Tomcat 7.0.100.

Add a new attribute, allowedRequestAttributesPattern to the AJP/1.3 Connector. Requests with unrecognised attributes will be blocked with a 403. (markt)

Although I haven't figured out what attribute we are sending. But if the setting works for you with a wildcard, you are probably sending attributes as part of your AJP request which are not recognized.

Improve this answer
3
  • That was is. I had to set the attribute allowedRequestAttributesPattern to my SSL parameters devided by |. Thanks. Commented Mar 24, 2020 at 8:14
  • This solves the issue in Tomcat 8.5.51-53 as well. Commented Mar 29, 2020 at 12:55
  • Is allowedRequestAttributesPattern=".*" related to Tomcat's CORS Filter in any way? After setting up a secret, now I'm having issues with CORS. All of my Apache and Tomcat services are all on the same box. Commented Mar 16, 2021 at 19:46
2

I had the same issue. The trick was to set a password. So the following solved the issue for us:

server.xml:

<Connector port="8109" protocol="AJP/1.3" redirectPort="8443" secret="verysecure" secretRequired="true"/>

worker.properties:

worker.tomcat-06.secret=verysecure
Improve this answer
1
  • I had already a password and it didn't work. Only after I removed special chars like "€" from the password, it started working. So check your password for special chars if it doesn't work. Commented May 26, 2021 at 17:34

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.