Tomcat Client Authentication using SSL – Stack Overflow

By default, a non-TLS, HTTP/1.1 connector is configured on port 8080.
Connectors that will not be used should be removed from server.xml.

AJP Connectors should only be used on trusted networks or be
appropriately secured with a suitable secret attribute.

AJP Connectors block forwarded requests with unknown request
attributes. Known safe and/or expected attributes may be allowed by
configuration an appropriate regular expression for the
allowedRequestAttributesPattern attribute.

The address attribute may be used to control which IP
address a connector listens on for connections. By default, a connector
listens on all configured IP addresses.

The allowTrace attribute may be used to enable TRACE
requests which can be useful for debugging. Due to the way some browsers
handle the response from a TRACE request (which exposes the browser to an
XSS attack), support for TRACE requests is disabled by default.

The discardFacades attribute set to true
will cause a new facade object to be created for each request. This
reduces the chances of a bug in an application exposing data from one
request to another.

The encodedSolidusHandling attribute allows
non-standard parsing of the request URI. Setting this attribute to a
non-default value when behind a reverse proxy may enable an attacker to
bypass any security constraints enforced by the proxy.

The maxPostSize attribute controls the maximum size
of a POST request that will be parsed for parameters. The parameters are
cached for the duration of the request so this is limited to 2MB by
default to reduce exposure to a DOS attack.

The maxSavePostSize attribute controls the saving of
the request body during FORM and CLIENT-CERT authentication and HTTP/1.1
upgrade. For FORM authentication, the request body is cached for the
duration of the authentication (which may be many minutes) so this is
limited to 4KB by default to reduce exposure to a DOS attack.

The maxParameterCount attribute controls the
maximum number of parameter and value pairs (GET plus POST) that can
be parsed and stored in the request. Excessive parameters are ignored.
If you want to reject such requests, configure a
FailedRequestFilter.

The xpoweredBy attribute controls whether or not the
X-Powered-By HTTP header is sent with each request. If sent, the value of
the header contains the Servlet and JSP specification versions, the full
Tomcat version (e.g. Apache Tomcat/9.0), the name of
the JVM vendor and
the version of the JVM. This header is disabled by default. This header
can provide useful information to both legitimate clients and attackers.

The server attribute controls the value of the Server
HTTP header. The default value of this header for Tomcat 4.1.x to
8.0.x is Apache-Coyote/1.1. From 8.5.x onwards this header is not set by
default. This header can provide limited information to both legitimate
clients and attackers.

The SSLEnabled, scheme and
secure attributes may all be independently set. These are
normally used when Tomcat is located behind a reverse proxy and the proxy
is connecting to Tomcat via HTTP or HTTPS. They allow Tomcat to see the
SSL attributes of the connections between the client and the proxy rather
than the proxy and Tomcat. For example, the client may connect to the
proxy over HTTPS but the proxy connects to Tomcat using HTTP. If it is
necessary for Tomcat to be able to distinguish between secure and
non-secure connections received by a proxy, the proxy must use separate
connectors to pass secure and non-secure requests to Tomcat. If the
proxy uses AJP then the SSL attributes of the client connection are
passed via the AJP protocol and separate connectors are not needed.

The tomcatAuthentication and
tomcatAuthorization attributes are used with the
AJP connectors to determine if Tomcat should handle all authentication and
authorisation or if authentication should be delegated to the reverse
proxy (the authenticated user name is passed to Tomcat as part of the AJP
protocol) with the option for Tomcat to still perform authorization.

The requiredSecret attribute in AJP connectors
configures shared secret between Tomcat and reverse proxy in front of
Tomcat. It is used to prevent unauthorized connections over AJP protocol.