Apache JServ Protocol

Source: Wikipedia, the free encyclopedia.

The Apache JServ Protocol (AJP) is a

binary protocol that can proxy inbound requests from a web server through to an application server that sits behind the web server. AJP is a highly trusted protocol and should never be exposed to untrusted clients, which could use it to gain access to sensitive information or execute code on the application server.[1]

It also supports some monitoring in that the web server can ping the application server. Web implementors typically use AJP in a load-balanced deployment where one or more front-end web servers feed requests into one or more application servers. Sessions are redirected to the correct application server using a routing mechanism wherein each application server instance gets a name (called a route). In this scenario the web server functions as a reverse proxy[2] for the application server. Lastly, AJP supports request attributes which, when populated with environment-specific settings in the reverse proxy, provides for secure communication between the reverse proxy and application server.[3][4]

AJP runs in

mod_jk plugin and in Apache 2.x using mod_proxy_ajp, mod_proxy and proxy balancer modules together. Other web server implementations exist for: lighttpd 1.4.59,[5] nginx,[6] Grizzly 2.1,[7] and the Internet Information Services.[2]

Web container application servers supporting AJP include: Apache Tomcat, WildFly (formerly JBoss AS), and GlassFish.

History

Alexei Kosut originally developed the Apache JServ Protocol in July 1997[8] but the version 1.0 specification was published later on July 29, 1998.[9] He also wrote the first implementations of it in the same month, with the releases of the Apache JServ servlet engine 0.9 and the Apache mod_jserv 0.9a (released on July 30, 1997).[10]

The specification was updated to version 1.1 on September 9, 1998.[11] Also in 1998, a revamped protocol was created and published in specification versions 2[12] and 2.1,[8] however it was never adopted.

In 1999,

Java servlet API version 2.1.[13]

The current specification remains at version 1.3,[14] however there is a published extension proposal[15] as well as an archived experimental 1.4 proposal.[16]

See also

References

  1. ^ "AJP File Read/Inclusion in Apache Tomcat (CVE-2020-1938) and Undertow (CVE-2020-1745)". Red Hat Customer Portal. Retrieved 1 March 2020.
  2. ^ a b "BonCode Apache Tomcat AJP 1.3 Connector". boncode.net. Retrieved 9 October 2017.
  3. ^ "NativeSPAttributeAccess". Shibboleth Consortium. Retrieved 13 November 2017.
  4. ^ "Apache Module mod_proxy_ajp". Apache HTTP Server Project. Retrieved 13 November 2017.
  5. ^ "Docs - Lighttpd - lighty labs". redmine.lighttpd.net. Retrieved 14 July 2021.
  6. ^ Yao(姚伟斌), Weibin (6 October 2017). "nginx_ajp_module: support AJP protocol proxy with Nginx". Retrieved 9 October 2017 – via GitHub.
  7. ^ "AJP". Grizzly 2.3 User's Guide. java.net. Retrieved 2013-04-29.
  8. ^ a b Barbieri, Federico; Fumagalli, Pierpaolo; Kluft, Ian; Korthof, Ed; Mazzocchi, Stefano; Pool, Martin (June 30, 1998). "Apache JServ Protocol Version 2.1". Java Apache Project. Archived from the original on 2003-08-04.
  9. ^ Kosut, Alexei (July 29, 1998). "Apache JServ Protocol Version 1.0". Java Apache Project. Archived from the original on 2003-04-15.
  10. ^ "History of Changes - Apache JServ Project". Java Apache Project. Archived from the original on 2003-04-16.
  11. ^ Kosut, Alexei (September 9, 1998). "Apache JServ Protocol Version 1.1". Java Apache Project. Archived from the original on 2003-08-04.
  12. ^ Kluft, Ian; Korthof, Ed; Mazzocchi, Stefano (February 15, 1998). "Apache JServ Protocol Version 2". Java Apache Project. Archived from the original on 2003-08-05.
  13. ^ "The Origin Story of Tomcat". TechNotif. Retrieved 2018-07-25.
  14. ^ "AJP Protocol Reference - AJPv13". Apache Tomcat. Retrieved 2016-08-20.
  15. ^ "AJP Protocol Reference - AJPv13 Extension Proposal". Apache Tomcat. Retrieved 2016-08-20.
  16. ^ "AJPv14 Proposal". Apache Tomcat. Retrieved 2019-05-06.