The AJP Connector is configured with secretRequired=“true” but the secret attribute is either null or “” after upgrade to 2.2.5

[manjunathkadrolli]

Application fails to start with the below error. This happened after the upgrade from 2.1.9 to 2.2.5 and had to do this to avoid the Ghostcat vulnerability .

Caused by: java.lang.IllegalArgumentException: The AJP Connector is configured with secretRequired="true" but the secret attribute is either null or "". This combination is not valid. at org.apache.coyote.ajp.AbstractAjpProtocol.start(AbstractAjpProtocol.java:264) at org.apache.catalina.connector.Connector.startInternal(Connector.java:1035) ... 22 common frames omitted

reference : https://dev.lucee.org/t/tomcat-cve-2020-1938-ghostcat-ajp/6650/4

[wilkinsona]

This is due to a change in Tomcat's default behaviour to address the CVE. When enabling AJP, you now also need to configure a secret (recommended) or disable the need for one (to be done with caution). Either can be achieved using a TomcatConnectorCustomizer. Here's an example of configuring the former:

@Bean
public TomcatConnectorCustomizer ajpSecretCustomizer() {
    return (connector) -> ((AbstractAjpProtocol<?>) connector.getProtocolHandler()).setSecret("your-secret");
}

The latter can be achieved by replacing the call to setSecret(String) with a call to setSecretRequired(false).

[manjunathkadrolli]

@wilkinsona i replaced the setSecret(String) to setSecretRequired(false) with detail below

@Bean
	public TomcatConnectorCustomizer ajpSecretCustomizer() {
	    return (connector) -> ((AbstractAjpProtocol<?>) connector.getProtocolHandler()).setSecretRequired(false);
	}

but still seeing the same error.

[manjunathkadrolli]

@wilkinsona got it working thank you for the response.

[skrzyneckik]

Am I correct that secretRequired is true by default to target Ghostcat vulnerability and setSecretRequired(false) actually reenable this vulnerability? I think it's worth pointing it out

[manjunathkadrolli]

Looks like since the issue appeared after upgrade..!

[wilkinsona]

@skrzyneckik Yes, that's correct. That's why I said above that calling setSecretRequired(false) is to be done with caution. As with most things related to configuring Tomcat, reading Tomcat's own documentation, where you can find some guidance on configuring AJP, is recommended.