DOC HOME SITE MAP MAN PAGES GNU INFO SEARCH PRINT BOOK
 
Apache TomcatApache Logo

Links

Reference Guide

Generic HowTo

Webserver HowTo

AJP Protocol Reference

Miscellaneous Documentation

News

The Apache Tomcat Connector

Documentation Index

Printer Friendly Version
print-friendly
version
Introduction

This is the top-level entry point of the documentation bundle for the Apache Tomcat Connectors

Select one of the links from the navigation menu (to the left) to drill down to the more detailed documentation that is available. Each available manual is described in more detail below.

Headlines

  • 7 August 2007 - JK-1.2.25 released

    The Apache Tomcat team is proud to announce the immediate availability of Tomcat Connectors 1.2.25 Stable.

    Download the JK 1.2.25 release sources | PGP signature

    Download the binaries for selected platforms.

  • 27 July 2007 - JK-1.2.24 released

    This release has been withdrawn.

  • 18 May 2007 - JK-1.2.23 released

    The Apache Tomcat team is proud to announce the immediate availability of Tomcat Connectors 1.2.23 Stable.

    This version addresses the security flaw:
    CVE-2007-1860 A double encoded ".." in a URL can be used to access URLs on the AJP backend, for which no mod_jk forwarding rule exists (patch for CVE-2007-0450 was insufficient).

    This version fixes the problem by using ForwardURICompatUnparsed as the default for the forwarding JkOption. You can similarly fix the problem for all previous versions of mod_jk by setting "JkOption ForwardURICompatUnparsed". If you upgrade to version 1.2.23 please ensure, that you do not have a different forwarding option in your existing configuration. We highly recommend, that you are consulting the forwarding documentation, especially concerning the implications for interaction with mod_rewrite.

    Please note that this issue only affects configurations, which use a prefix forwarding rule like "/myapp/*" or "/myapp/*.jsp" to restrict access to the context "/myapp". The issue will allow malicious URLs to reach "/otherapp" or "/otherapp/*.jsp" as well.

    The Tomcat Project thanks Kazu Nambo for his responsible reporting of this vulnerability.

    Download the JK 1.2.23 release sources | PGP signature

    Download the binaries for selected platforms.

  • 17 April 2007 - JK-1.2.22 released

    The Apache Tomcat team is proud to announce the immediate availability of Tomcat Connectors 1.2.22 Stable.

    Download the JK 1.2.22 release sources | PGP signature

    Download the binaries for selected platforms.

  • 1 March 2007 - JK-1.2.21 released

    The Apache Tomcat team is proud to announce the immediate availability of Tomcat Connectors 1.2.21 Stable.

    This version addresses the security flaw:
    CVE-2007-0774 A Long URL Stack Overflow Vulnerability exists in the URI handler for the mod_jk library. When parsing a long URL request, the URI worker map routine performs an unsafe memory copy. This results in a stack overflow condition which can be leveraged execute arbitrary code.

    Please note this issue only affected versions 1.2.19 and 1.2.20 of the JK Apache Tomcat Connector and not previous versions. Tomcat 5.5.20 and Tomcat 4.1.34 included a vulnerable version in their source packages. No other source code releases and no binary packages of Tomcat were affected.

    The Apache Tomcat project recommends that all users who have built mod_jk from source apply the patch or upgrade to the latest level and rebuild. Providers of mod_jk-based modules in pre-compiled form will be able to determine if this vulnerability applies to their builds. That determination has no bearing on any other builds of mod_jk, and mod_jk users are urged to exercise caution and apply patches or upgrade unless they have specific instructions from the provider of their module.

    The Tomcat Project thanks an anonymous researcher working with TippingPoint (www.tippingpoint.com) and the Zero Day Initiative (www.zerodayintiative.com) for their responsible reporting of this vulnerability.

    Download the JK 1.2.21 release sources | PGP signature

    Download the binaries for selected platforms.

  • 10 December 2006 - JK-1.2.20 released

    The Apache Tomcat team is proud to announce the immediate availability of Tomcat Connectors 1.2.20 Stable.

    Download the JK 1.2.20 release sources | PGP signature

    Download the binaries for selected platforms.

  • 17 September 2006 - JK-1.2.19 released

    The Apache Tomcat team is proud to announce the immediate availability of Tomcat Connectors 1.2.19 Stable.

    Download the JK 1.2.19 release sources | PGP signature

    Download the binaries for selected platforms.

Reference Guide

  • workers.properties

    A Tomcat worker is a Tomcat instance that is waiting to execute servlets on behalf of some web server. For example, we can have a web server such as Apache forwarding servlet requests to a Tomcat process (the worker) running behind it.

    This page contains detailed description of all workers.properties directives.

  • uriworkermap.properties

    The forwarding of requests from the web server to tomcat gets configured by defining mapping rules. The so-called uriworkermap file is a mechanism of defining those rules.

  • Apache

    This page contains detailed description of all directives related to Apache web server.

  • IIS

    This page contains detailed description of all IIS directives.

Generic HowTo

  • Quick Start

    This page describes the configuration files used by JK on the Web Server side for the 'impatients'.

  • All about workers

    This page contains an overview about the various aspects of defining and using workers.

  • Timeouts

    This page describes the possible timeout settings you can use.

  • Load Balancing

    This page contains an introduction on load balancing with JK.

Webserver HowTo

These pages contain detailed descriptions of how to build and install JK for the various web servers.

AJP Protocol Reference

  • AJPv13

    This page describes the Apache JServ Protocol version 1.3 (hereafter ajp13).

  • AJPv13 Extension Proposal

    This page describes an extension proposal for ajp13.

Miscellaneous documentation

News

Release news from various years.


Copyright © 1999-2005, Apache Software Foundation