Getting error 403 with Tomcat 7.0.100 and Apache server 2.4 when using "secret" with AJP
Solution 1
I had the same issue.
I had to add allowedRequestAttributesPattern=".*"
to the connector
So in your case
<Connector port="8309" protocol="AJP/1.3" redirectPort="8443" secretRequired="true" secret="123456" address="192.168.181.240" allowedRequestAttributesPattern=".*" />
This is a new attribute which has been added with Tomcat 7.0.100.
Add a new attribute, allowedRequestAttributesPattern to the AJP/1.3 Connector. Requests with unrecognised attributes will be blocked with a 403. (markt)
Although I haven't figured out what attribute we are sending. But if the setting works for you with a wildcard, you are probably sending attributes as part of your AJP request which are not recognized.
Solution 2
I had the same issue. The trick was to set a password. So the following solved the issue for us:
server.xml:
<Connector port="8109" protocol="AJP/1.3" redirectPort="8443" secret="verysecure" secretRequired="true"/>
worker.properties:
worker.tomcat-06.secret=verysecure
Related videos on Youtube
egmontr
Updated on September 18, 2022Comments
-
egmontr almost 2 years
Because of the bug CVE-2020-1938 we want to use the latest Tomcat 7.0.100. See also CVE-2020-1938 We also use an Apache server in version 2.4, which connects to the Tomcat via AJP.
The latest Tomcat version requires various new settings for secure communication, which we have made. Unfortunately we always get the HTTP error 403 and don't know why.
In the Apache workers.properties we have the following settings:
worker.list=okkommwm57f ps=\ worker.okkommwm57f.type=ajp13 worker.okkommwm57f.host=192.168.181.240 worker.okkommwm57f.secret=123456 worker.okkommwm57f.port=8309 worker.okkommwm57f.socket_keepalive=1 worker.okkommwm57f.connect_timeout=10000 worker.okkommwm57f.prepost_timeout=10000 worker.okkommwm57f.socket_timeout=10 worker.okkommwm57f.connection_pool_timeout=600
The AJP connector configuration looks like this:
<Connector port="8309" protocol="AJP/1.3" redirectPort="8443" secretRequired="true" secret="123456" address="192.168.181.240" />
When I test the site, I keep getting the HTTP error 403. I have tried different versions, but to no avail. Have already set "secretRequired" to "false". Does not work too.
Maybe someone has an idea and can help me to solve the problem. Thank you.
-
vallismortis about 4 yearsThis solves the issue in Tomcat 8.5.51-53 as well.
-
NamedArray over 3 yearsIs
allowedRequestAttributesPattern=".*"
related to Tomcat's CORS Filter in any way? After setting up a secret, now I'm having issues with CORS. All of my Apache and Tomcat services are all on the same box. -
user3992979 about 3 yearsI had already a password and it didn't work. Only after I removed special chars like "€" from the password, it started working. So check your password for special chars if it doesn't work.