Tomcat 8.5.51 - Issues with secretRequired="false"

Asked 5/3, 2020 at 19:42 Answered 13/5, 2020 at 20:29

Solved tomcat connector ajp tomcat8.5 protocol-handler

The secretRequired="false" option added to AJP connector is server.xml. However, the connector does not start with Protocol handler start failed error. It is behind an Apache Server version 2.4.25.

    <Connector port="8009"
               address="127.0.0.1" tomcatAuthentication="false" URIEncoding="UTF-8" enableLookups="false"
               protocol="AJP/1.3" redirectPort="8663" connectionTimeout="600000" secretRequired="false" />

The error:

Caused by: java.lang.IllegalArgumentException: The AJP Connector is configured with secretRequired="true" but the secret attribute is either null or "". This combination is not valid.

Thanks

Culpepper answered 5/3, 2020 at 19:42 Comment(3)

Do you happen to have a second AJP connector in server.xml? – Intersperse 5/3, 2020 at 19:50

No, there is only one AJP. There is also a HTTP connection. – Culpepper 5/3, 2020 at 20:7

In Tomcat 8.5.56 the issue is gone. – Cordell 16/6, 2020 at 20:59

Adding the address attribute and specifying the loopback address is what worked for me on Tomcat 8.5.54.

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="0.0.0.0" secretRequired="false" />

Eckard answered 13/5, 2020 at 20:29 Comment(1)

0.0.0.0 is not the loopback address; this should be 127.0.0.1, or ::1 (which is the default anyway). Explicitly using 0.0.0.0 will give you a security problem when combined with secretRequired="false". – Theobald 22/10, 2023 at 15:9

Tomcat 9.0.34 has that secretReqiured set to true by default now to address CVS issue.

See these URLs for details of this issue:
https://access.redhat.com/solutions/4851251 https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html https://github.com/spring-projects/spring-boot/issues/20377

Polarization answered 30/4, 2020 at 1:0 Comment(2)

You can see that in the original question the parameter is turned off. Are you saying that it is no longer possible to override the default? – Barbiturate 6/5, 2020 at 19:13

If we add secret value then the documentation of worker.properties from apache2 states that ajp only accept those worker request which has this secret value, Can you tell me how to configure this secret in worker.properties ? or how to pass this secret in request – Tatar 21/11, 2023 at 6:53

Recommended topics

Hot tags