Bilal-S / iis2tomcat

AJP Connector between Internet Information Services (IIS) and Apache Tomcat
http://www.boncode.net/boncode-connector
49 stars 32 forks source link

RequestSecret directive required with latest ColdFusion updates #92

Closed jdickins11 closed 4 years ago

jdickins11 commented 4 years ago

Bilal,

When I read about the latest ColdFusion updates requiring their connector to pass a secret phrase, I was concerned that those updates wouldn't work with the BonCode connector. I was delighted to find and use BonCode's RequestSecret directive to make it work. I should have known you covered all the bases!

Here's my suggested addition for your "Using BonCode with Adobe Coldfusion" page at http://www.boncode.net/boncode-connector/using-boncode-with-adobe-coldfusion to use as you wish.

Thanks once again for your well-done work!

John


Securing BonCode's connection with ColdFusion:

Starting with ColdFusion 2018 Update 8 and ColdFusion 2016 Update 14, ColdFusion expects a secret phrase with each request for added security. ColdFusion requests return security errors until you tell BonCode about ColdFusion's secret phrase.

Do this after the connector install is completed by modifying the BonCodeAJP13.settings file. This is located normally in the BIN directory in your site document root or in the C:\Windows directory for global installs.

First, find the secret phase in ColdFusion's Tomcat server.xml file located at the {cf.instance.home}\runtime\conf directory. Look for the connector line with protocol="AJP/1.3" in that file and copy just the secret phrase inside the secret attribute that looks something like this:

secret="50A2DE1B-ABX8-4530-B095-A2AE7F7F5297"

Add the following directive to the BonCodeAJP13.settings file, specifying the secret phase you just copied, such as:

<RequestSecret>50A2DE1B-ABX8-4530-B095-A2AE7F7F5297</RequestSecret>

You need to restart IIS after this change.

Bilal-S commented 4 years ago

John, I am glad you were able to resolve things. And, thanks, I will add your passage to blog post in a bit.

jdickins11 commented 4 years ago

Bilal,

FYI, Charlie Arehart wrote two posts on these Adobe ColdFusion updates from the perspective of Adobe's IIS connector. They provide more detail on the problem, the fix, and two more potential issues BonCode users may have with the updates.

Charlie's "short" post: Three reasons your sites may break, and how to fix them, after applying March 2020 update to CF2018 or 2016: https://coldfusion.adobe.com/2020/03/three-reasons-sites-may-break-fix-applying-mar-2020-update-cf2018-2016/

Charlie's "elaborated" post: How and why your sites may break, and what to do, after applying March 2020 update to CF2018 or 2016: https://www.carehart.org/blog/client/index.cfm/2020/3/20/how_and_why_sites_may_break_after_Mar_2020_CF_updates

John

Bilal-S commented 4 years ago

Closing

davequested commented 4 years ago

Hi @Bilal-S, could you also add the note about adding address="::1" in the docs to the connector settings in CF, we had to add that otherwise it was so slooooow. Might help others in the future and myself when setting up future installs! Thanks heaps for all your work.

Bilal-S commented 4 years ago

@davequested thanks for the suggestion. Added to docs and blog.