Is AJP secure enough?

Question

We need to host a java richfaces/hibernate app in our hosting service. As a requirement of our security department we cannot make any connection from that application to our internal databases. One suggested solution was to make an internal webservice, but changing all the database layer is hard. I want to use AJP instead. Is it secure enough?

[Edit] By asking this I mean the apache httpd will be serving https and by wrapping AJP to go inside our internal servers may the channel be monitored (plaintext)? I don't find documentation of the protocol itself.

Answer 1

Secure enough for what ? Plaintext monitoring across the net ? Secure enough that an average SO reader can't intercept and read it ? Or the NSA ?

Security is a trade-off, and you need to determine what sort of attacks you're trying to repel, and how much effort you're going to put in. I know that doesn't answer your question, but I don't believe that question can be answered without thinking about this.

Answer 2

AJP is a direct replacement for HTTP between a front-end web server and a back-end app server. As such, it's no more or less secure than HTTP. If you choose AJP, you choose it purely for performance reasons, nothing else. If you're considering it for other reasons, you need to rethink your requirements.