Reputation: 19
Apache webserver with AJP connection to Tomcat - empty TLS attributes in request object
We are using an Apache (2.4.41) webserver as reverse proxy for a tomcat (8.5), that runs a self implemented load-balancer. The Apache webserver does the front end TLS stuff and talks to tomcat over AJP (mod_proxy_ajp). Within our load-balancer, we use request.getAttributeNames() to evaluate request attributes. For some time now, empty request attributes with following keys appear:
- org.apache.tomcat.util.net.secure_protocol_version
- javax.servlet.request.key_size
- javax.servlet.request.cipher_suite
- javax.servlet.request.ssl_session_id
I read documentation and source code but can't figure out, why these empty attributes still exist within the request. According to the javadoc of getAttributeNames() in a tomcat request, most of the TLS specific attributes should not be fetched by this method:
/**
* Return the names of all request attributes for this Request, or an
* empty <code>Enumeration</code> if there are none. Note that the attribute
* names returned will only be those for the attributes set via
* {@link #setAttribute(String, Object)}. Tomcat internal attributes will
* not be included although they are accessible via
* {@link #getAttribute(String)}. The Tomcat internal attributes include:
* <ul>
* <li>{@link Globals#DISPATCHER_TYPE_ATTR}</li>
* <li>{@link Globals#DISPATCHER_REQUEST_PATH_ATTR}</li>
* <li>{@link Globals#ASYNC_SUPPORTED_ATTR}</li>
* <li>{@link Globals#CERTIFICATES_ATTR} (SSL connections only)</li>
* <li>{@link Globals#CIPHER_SUITE_ATTR} (SSL connections only)</li>
* <li>{@link Globals#KEY_SIZE_ATTR} (SSL connections only)</li>
* <li>{@link Globals#SSL_SESSION_ID_ATTR} (SSL connections only)</li>
* <li>{@link Globals#SSL_SESSION_MGR_ATTR} (SSL connections only)</li>
* <li>{@link Globals#PARAMETER_PARSE_FAILED_ATTR}</li>
* </ul>
* The underlying connector may also expose request attributes. These all
* have names starting with "org.apache.tomcat" and include:
* <ul>
* <li>{@link Globals#SENDFILE_SUPPORTED_ATTR}</li>
* </ul>
* Connector implementations may return some, all or none of these
* attributes and may also support additional attributes.
*
* @return the attribute names enumeration
*/
@Override
public Enumeration<String> getAttributeNames() {
Maybe some can shed some light on this. Thanks in advance!
Upvotes: 1
Views: 249
Answers (1)
Reputation: 16215
The Javadoc is not entirely correct: as you can see in the source code you cite, getAttributeNames does not list these internal attributes unless you already called getAttribute for one of them:
if (!sslAttributesParsed && TLSUtil.isTLSRequestAttribute(name)) {
coyoteRequest.action(ActionCode.REQ_SSL_ATTRIBUTE, coyoteRequest);
attr = coyoteRequest.getAttribute(Globals.CERTIFICATES_ATTR);
if (attr != null) {
attributes.put(Globals.CERTIFICATES_ATTR, attr);
}
attr = coyoteRequest.getAttribute(Globals.CIPHER_SUITE_ATTR);
if (attr != null) {
attributes.put(Globals.CIPHER_SUITE_ATTR, attr);
}
...
Upvotes: 1
Related Questions
- Error during SSL Handshake with remote server
- Tomcat-to-tomcat connection gives SSLHandshakeException, while JavaApp-to-Tomcat works just fine
- How to configure https for an apache redirecting to tomcat via mod_proxy connector (ajp)
- Tomcat behind Apache httpd via SSL (httpd works, tomcat returns error 500)
- How to override scheme and is_ssl in apache HTTP Server for mod_proxy_ajp
- Issue loading an Apache (2.4) SSL site with Reverse Proxy to Tomcat (6.0)
- tomcat stops serving behind apache when shifted to mod_proxy_ajp using SSL
- Tomcat AJP with Apache SSL
- Error with an Apache in front of Tomcat using AJP connector and mod_proxy
- tomcat SSL request parameters lost