Versions Compared

Old Version 48

changes.mady.by.user Jacques Le Roux

Saved on

compared with

New Version Current

changes.mady.by.user Jacques Le Roux

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Tomcat 9 & AJP update

...

Despite

Jira
serverASF JIRA
serverId5aa69414-a9e9-3523-82ec-879b028fb15b
keyOFBIZ-11407
, allowedRequestAttributesPattern is commented out because of
Jira
serverASF JIRA
serverId5aa69414-a9e9-3523-82ec-879b028fb15b
keyOFBIZ-12558
The
OOTB the Tomcat default values are used as recommended by  https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html#Introduction
This is in relation with  https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.31
and  https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html#Connectors

But OOTB secretRequired value must be false because secret value is empty.  Else a notifying message appears in log saying that AJP is not available.
Long story short, with OOTB configuration only localhost works. 
So if you want to use AJP you need to set the values depending on your configuration. Using
".*" to allowedRequestAttributesPattern put you at risk.