Because of the bug CVE-2020-1938 we want to use the latest Tomcat 7.0.100. See also CVE-2020-1938
We also use an Apache server in version 2.4, which connects to the Tomcat via AJP.
The latest Tomcat version requires various new settings for secure communication, which we have made.
Unfortunately we always get the HTTP error 403 and don't know why.
In the Apache workers.properties we have the following settings:
worker.list=okkommwm57f
ps=\
worker.okkommwm57f.type=ajp13
worker.okkommwm57f.host=192.168.181.240
worker.okkommwm57f.secret=123456
worker.okkommwm57f.port=8309
worker.okkommwm57f.socket_keepalive=1
worker.okkommwm57f.connect_timeout=10000
worker.okkommwm57f.prepost_timeout=10000
worker.okkommwm57f.socket_timeout=10
worker.okkommwm57f.connection_pool_timeout=600
The AJP connector configuration looks like this:
<Connector port="8309" protocol="AJP/1.3" redirectPort="8443" secretRequired="true" secret="123456" address="192.168.181.240" />
When I test the site, I keep getting the HTTP error 403. I have tried different versions, but to no avail. Have already set "secretRequired" to "false". Does not work too.
Maybe someone has an idea and can help me to solve the problem. Thank you.
Best Answer
I had the same issue.
I had to add
allowedRequestAttributesPattern=".*"to the connectorSo in your case
This is a new attribute which has been added with Tomcat 7.0.100.
Although I haven't figured out what attribute we are sending. But if the setting works for you with a wildcard, you are probably sending attributes as part of your AJP request which are not recognized.