springboot The AJP Connector is configured with secretRequired=“true” but the secret attribute is either null or “” after upgrade to 2.2.5

Application fails to start with the below error. This happened after the upgrade from 2.1.9 to 2.2.5 and had to do this to avoid the Ghostcat vulnerability .

Caused by: java.lang.IllegalArgumentException: The AJP Connector is configured with secretRequired="true" but the secret attribute is either null or "". This combination is not valid. at org.apache.coyote.ajp.AbstractAjpProtocol.start(AbstractAjpProtocol.java:264) at org.apache.catalina.connector.Connector.startInternal(Connector.java:1035) ... 22 common frames omitted

reference : https://dev.lucee.org/t/tomcat-cve-2020-1938-ghostcat-ajp/6650/4

Comment From: wilkinsona

This is due to a change in Tomcat's default behaviour to address the CVE. When enabling AJP, you now also need to configure a secret (recommended) or disable the need for one (to be done with caution). Either can be achieved using a TomcatConnectorCustomizer. Here's an example of configuring the former:

@Bean
public TomcatConnectorCustomizer ajpSecretCustomizer() {
    return (connector) -> ((AbstractAjpProtocol<?>) connector.getProtocolHandler()).setSecret("your-secret");
}

The latter can be achieved by replacing the call to setSecret(String) with a call to setSecretRequired(false).

Comment From: manjunathkadrolli

@wilkinsona i replaced the setSecret(String) to setSecretRequired(false) with detail below

@Bean
    public TomcatConnectorCustomizer ajpSecretCustomizer() {
        return (connector) -> ((AbstractAjpProtocol<?>) connector.getProtocolHandler()).setSecretRequired(false);
    }

but still seeing the same error.

Comment From: manjunathkadrolli

@wilkinsona got it working thank you for the response.

Comment From: skrzyneckik

Am I correct that secretRequired is true by default to target Ghostcat vulnerability and setSecretRequired(false) actually reenable this vulnerability? I think it's worth pointing it out

Comment From: manjunathkadrolli

Looks like since the issue appeared after upgrade..!

Comment From: wilkinsona

@skrzyneckik Yes, that's correct. That's why I said above that calling setSecretRequired(false) is to be done with caution. As with most things related to configuring Tomcat, reading Tomcat's own documentation, where you can find some guidance on configuring AJP, is recommended.