Future of AJP might be OK?

Cantor, Scott cantor.2 at osu.edu
Thu Aug 25 16:39:20 UTC 2022

On 8/25/22, 12:31 PM, "users on behalf of Richard Frovarp via users" <users-bounces at shibboleth.net on behalf of users at shibboleth.net> wrote:

> Proxying via AJP only works on trusted 
>    networks, and likely only on the same host from a security point of 
>    view. There is no security in the protocol, and there have been various 
>    attacks against it over time.

The same is true of http...that's one of the big reasons it's such a bad idea, it's a trivial protocol to spoof since every machine in the world has a client.

If all one cared about was passive attacks, the security of AJP would be the same except that the data would be visible, and half the time people proxy HTTP in the clear anyway.

>    And of course for Shibboleth, the recommended container is Jetty, which 
>    dropped AJP with Jetty 9.

That's an IdP recommendation (and we don't suggest proxying it), and this was more to do with the use of the SP in front of it.

-- Scott

More information about the users mailing list