https://bz.apache.org/bugzilla/show_bug.cgi?id=53098
--- Comment #13 from Yann Ylavic <[email protected]> --- (In reply to [email protected] from comment #12) > Now back to the actual topic of this bug. A simple non-controversial patch > has been available since this bug was opened 4 years ago. Yet 4 years later > it still has not been applied. Why? Maybe because a stronger authentication method is possible by using an https connector? Not ajps though (I stand corrected!), but AFAICT current Tomcat versions can be configured to use https and hence TLS authentication. Please keep in mind that committers are volunteer here, with limited time devoted to most important tasks, in their opinion... The point is, IMHO, that a secret sent in clear text in not very secure. Either the network between httpd and tomcat is controlled and an (week) authentication is not needed, or the network is unsafe and a stronger authentication is required. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
