将 Apache/Tomcat 升级到最新版本后的新 CORS 策略和 AJP 连接器问题
[英]New CORS policy and AJP Connector issues after upgrading Apache/Tomcat to latest versions
问题描述
Here's what we're running:
这是我们正在运行的:
- Windows Server 2016 64-bit Windows 服务器 2016 64 位
- Apache: 2.4.46 (upgraded from 2.4.43) --> "frontend" Apache:2.4.46(从 2.4.43 升级)-->“前端”
- Tomcat: 9.0.44 (upgraded from 9.0.8) --> "backend" Tomcat:9.0.44(从 9.0.8 升级)-->“后端”
- Java: 12.0.2 Java:12.0.2
We've got Apache and Tomcat all running on the same Windows server.我们有 Apache 和 Tomcat 都在同一个 Windows 服务器上运行。 It's the frontend & backend.这是前端和后端。 I'm trying to get all of our stuff upgraded to the latest versions for security.为了安全起见,我正在尝试将我们所有的东西都升级到最新版本。 Of course, I've broken everything.当然,我已经破坏了一切。
After reviewing the Tomcat/Java logs, I found that the two of our AJP connectors would not start.在查看 Tomcat/Java 日志后,我发现我们的两个 AJP 连接器无法启动。 I was required to add the following attributes to those connectors for them to fire up:我被要求为这些连接器添加以下属性以使它们启动:
<Connector
...
...
address="0.0.0.0"
secretRequired="false"
/>
That seemed to resolve most of our issues;这似乎解决了我们的大部分问题; however, now I'm experiencing problems with CORS for one of my web apps.但是,现在我的 web 应用程序之一遇到了 CORS 问题。 Our other developers report no issues.我们的其他开发人员没有报告任何问题。
Access to XMLHttpRequest at 'https://SERVER/endpoint' from origin 'https://SERVER.DOMAIN.LOCAL' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Now that I'm typing this, I notice that the 1st indicator is just the server's name, and the 2nd indicator is the server's FQDN.现在我正在输入这个,我注意到第一个指示符只是服务器的名称,第二个指示符是服务器的 FQDN。 I wonder if that's the problem?我想知道这是不是问题?
Why am I having all these issues after upgrading Tomcat/Apache?为什么我在升级 Tomcat/Apache 后会遇到所有这些问题?
If my AJP Connectors and Workers are all on the same box, do I need to set a secret?如果我的 AJP 连接器和工作器都在同一个盒子上,我需要设置一个秘密吗?
Why am I now having an issue with CORS when I did not before?为什么我现在对 CORS 有问题,而我以前没有? How do I setup the CORS Filter so that it knows that communication between Apache <--> Tomcat (from this server TO THIS server) is safe??!?如何设置 CORS 过滤器,以便它知道 Apache <--> Tomcat(从该服务器到该服务器)之间的通信是安全的??
Is this setting below safe?下面这个设置安全吗? We've never had this setting enabled prior to the upgrade.在升级之前,我们从未启用此设置。
<filter>
<filter-name>CorsFilter</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CorsFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
1 个解决方案
解决方案1
0 2021-03-17 21:27:23
Now that I'm typing this, I notice that the 1st indicator is just the server's name, and the 2nd indicator is the server's FQDN.
That was the problem.这就是问题所在。 The page was at http://server.domain.local , but my app was making an AJAX call to http://server .该页面位于http://server.domain.local ,但我的应用程序正在对http://server进行 AJAX 调用。 Both should be the same, ie: BOTH as the FQDN server.domain.local , or BOTH as just the hostname server .两者应该相同,即:两者都作为 FQDN server.domain.local或两者都作为主机名server 。 There was not an issue with the Tomcat upgrade at all, and I was not required to create a CORS filter. Tomcat 升级完全没有问题,我不需要创建 CORS 过滤器。
Why am I having all these issues after upgrading Tomcat/Apache?
In the last week, I have attempted to upgrade beyond 9.0.8 to versions 9.0.44 and 10.0.4 .在上周,我尝试将9.0.8升级到9.0.44和10.0.4版本。 In every attempt, I've discovered a 'breaking change'.在每一次尝试中,我都发现了一个“重大变化”。 I am growing weary.我越来越厌倦了。
Best I can tell, the requiredSecret started around version 9.0.31 :我能说的最好的, requiredSecret开始于版本9.0.31 :
- When secretRequired is true the AJP/1.3 Connector will not start unless the secret attribute is configured to a non-null, non-zero length String.当 secretRequired 为真时,AJP/1.3 连接器将不会启动,除非将 secret 属性配置为非空、非零长度字符串。 (markt) (市场)
- https://tomcat.apache.org/tomcat-9.0-doc/changelog.html https://tomcat.apache.org/tomcat-9.0-doc/changelog.html
A second 'breaking change' is related to the migration from 9.0.x to 10.0.x .第二个“重大变化”与从9.0.x到10.0.x的迁移有关。 Here's what Tomcat says:这是 Tomcat 所说的:
- There is a significant breaking change between Tomcat 9.0.x and Tomcat 10.0.x. Tomcat 9.0.x 和 Tomcat 10.0.x 之间存在重大突破性变化。 The Java package used by the specification APIs has changed from javax... to jakarta.... It will be necessary to recompile web applications against the new APIs.规范 API 使用的 Java package 已从 javax... 更改为 jakarta.... 需要针对新的 APIs 重新编译 web 应用程序。 Alternatively, users can convert an existing WAR file from Java EE 8 to Jakarta EE 9 using the Apache Tomcat migration tool for Jakarta EE.或者,用户可以使用 Apache Tomcat 迁移工具将现有的 WAR 文件从 Java EE 8 转换为 Jakarta EE 9。
- http://tomcat.apache.org/migration-10.html http://tomcat.apache.org/migration-10.html
If my AJP Connectors and Workers are all on the same box, do I need to set a secret?
My boss told me to set it, so I did.我的老板让我设置它,所以我做了。 I used the following set of instructions, which where fantastic: https://community.microstrategy.com/s/article/Setting-up-the-AJP-port-on-Tomcat-and-Apache-Servers?language=en_US我使用了以下一组指令,其中非常棒: https://community.microstrategy.com/s/article/Setting-up-the-AJP-port-on-Tomcat-and-Apache-Servers?language=en_US
Why am I now having an issue with CORS when I did not before?
Is this setting below safe?
A CORS filter was ultimately unnecessary; CORS 过滤器最终是不必要的; however, if you were to implement one, this article describes how to create a more secure CORS filter:但是,如果您要实现一个,本文将介绍如何创建更安全的 CORS 过滤器:
https://newsroom.bedefended.com/implement-secure-cors-tomcathttps://newsroom.bedefended.com/implement-secure-cors-tomcat
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.