Spring Boot 2 - AJP

Question

I added an connector for AJP to my spring boot 2 project

 @Bean
 public ServletWebServerFactory servletContainer() {
        TomcatServletWebServerFactory tomcat = new 
   TomcatServletWebServerFactory() {
            @Override
            protected void postProcessContext(Context context) {
                SecurityConstraint securityConstraint = new SecurityConstraint();
                securityConstraint.setUserConstraint("CONFIDENTIAL");
                SecurityCollection collection = new SecurityCollection();
                collection.addPattern("/*");
                securityConstraint.addCollection(collection);
                context.addConstraint(securityConstraint);
            }
        };
        tomcat.addAdditionalTomcatConnectors(redirectConnector());

        return tomcat;
    }

    private Connector redirectConnector() {
        Connector connector = new Connector("AJP/1.3");
        connector.setScheme("http");
        connector.setPort(ajpPort);
        connector.setSecure(false);
        connector.setAllowTrace(false);
        return connector;
    }

This works fine. I can now access my spring boot application over my apache webserver. But now if i run my spring boot application i can not do access my spring boot application directly. So this url doesn't work anymore

http://localhost:13080/online/showlogin?m=test

If i disable the AJP Connector the URL works again. I have tried the following

 private Connector redirectConnector2() {
    Connector connector = new Connector(TomcatServletWebServerFactory.DEFAULT_PROTOCOL);
    connector.setScheme("http");
    connector.setPort(13080);
    connector.setSecure(false);
    connector.setAllowTrace(false);
    return connector;
}
...
tomcat.addAdditionalTomcatConnectors(redirectConnector2());
...

But this does not help me.

Instead of creating a `TomcatServletWebServerFactory` create a `WebServerFactoryCustomizer` which adds the AJP stuff. This will be executed in addition to the default configurations of Spring Boot. — M. Deinum, Mar 14 '18 at 10:48

score 14 · Accepted Answer · answered Mar 14 '18 at 12:12

This works for me:

    @Bean
    public WebServerFactoryCustomizer<TomcatServletWebServerFactory> servletContainer() {
      return server -> {
        if (server instanceof TomcatServletWebServerFactory) {
            ((TomcatServletWebServerFactory) server).addAdditionalTomcatConnectors(redirectConnector());
        }
      };
    }

    private Connector redirectConnector() {
       Connector connector = new Connector("AJP/1.3");
       connector.setScheme("http");
       connector.setPort(ajpPort);
       connector.setSecure(false);
       connector.setAllowTrace(false);
       return connector;
    }

score 7 · Answer 2 · answered Jul 03 '20 at 14:06

We used the code of tomas answers for a longer time successfully but it stopped working after we had upgraded to a Spring Boot version > 2.2.4. We got this error message on startup:

APPLICATION FAILED TO START

Description:

The Tomcat connector configured to listen on port 1234 failed to start. The port may already be in use or the connector may be misconfigured.

Action:

Verify the connector's configuration, identify and stop any process that's listening on port 1234, or configure this application to listen on another port.

But the port was not used, so what was the problem?

The issue was caused by the fix for the Ghostcat vulnerability of AJP in Tomcat that was included in Spring Boot 2.2.5.

Now you have two options, either you use AJP with a secret:

final Connector connector = new Connector("AJP/1.3");
connector.setScheme("http");
connector.setPort(ajpPort);
connector.setAllowTrace(false);

final AbstractAjpProtocol protocol = (AbstractAjpProtocol) connector.getProtocolHandler();
connector.setSecure(true);
protocol.setSecret(ajpSecret);

or without one, but for that you have to explicitly set setSecretRequired to false:

final Connector connector = new Connector("AJP/1.3");
connector.setScheme("http");
connector.setPort(ajpPort);
connector.setAllowTrace(false);

final AbstractAjpProtocol protocol = (AbstractAjpProtocol) connector.getProtocolHandler();
connector.setSecure(false);
protocol.setSecretRequired(false);

Note: The later solution will make your tomcat vulnerable to Ghostcat again.

For more information have a look at this thread: Springboot -The AJP Connector is configured with secretRequired="true" but the secret attribute is either null or "" after upgrade to 2.2.5

Spring Boot 2 - AJP

2 Answers2

Linked