Thanks for the info. Will this change be backported to 8.5 and 7? John Larsen
On Fri, Feb 14, 2020 at 9:03 AM Mark Thomas <ma...@apache.org> wrote: > On 14/02/2020 15:56, John Larsen wrote: > > From my testing. > > > > secretRequired="false" is still needed though docs says its deprecated in > > favor of just secret. > > Not correct. > > You are confusing requiredSecret (which has been deprecated in favour of > secret) with secretRequired. > > > I also had to change the worker from host=localhost to host=127.0.0.1 > > That suggests that localhost resolves to something other than 127.0.0.1 > > > Also AJP13 connector protocol block is commented out where it never was > > before. > > > > I'd prefer acceptance of localhost by default and then add secret for > > remote ajp servers. > > While that might be secure enough by default for your use case it isn't > secure enough by default for those users when not all users with the > ability to log on to the host are considered trusted. > > Mark > > > > > > John Larsen > > > > On Fri, Feb 14, 2020 at 7:37 AM Mark Thomas <ma...@apache.org> wrote: > > > >> On 14/02/2020 14:21, John Larsen wrote: > >>> I apologize - coffee started to kick in. The address="::1" portion is > >>> commented out. > >>> > >>> Will adding secret="false"? in the server.xml bypass this issue? > >>> > >>> <Connector protocol="AJP/1.3" port="8080" secret="false" > >>> redirectPort="8443" /> > >> > >> That will give you an AJP connector that is only listening on the > >> loopback interface. > >> > >> Mark > >> > >> > >>> > >>> Thanks, > >>> > >>> John Larsen > >>> > >>> On Fri, Feb 14, 2020 at 6:52 AM Mark Thomas <ma...@apache.org> wrote: > >>> > >>>> On 14/02/2020 13:45, John Larsen wrote: > >>>>> Seems tomcat 9.0.31 has thrown me a curve and messed up my > automation. > >>>>> > >>>>> Where can i understand this change better? > >>>>> "Rename the requiredSecret attribute of the AJP/1.3 Connector to > secret > >>>> and > >>>>> add a new attribute secretRequired that defaults to true. When > >>>>> secretRequired is truethe AJP/1.3 Connector will not start unless the > >>>> secret > >>>>> attribute is configured to a non-null, non-zero length String. > >> (markt)" > >>>>> > >>>>> Or can i just change this to false? What it its purpose? > >>>> > >>>> The purpose of that attribute is to stop you starting up Tomcat with > an > >>>> AJP connector that is open to the world without stopping to think > first. > >>>> > >>>> AJP assumes all connecting clients are trusted. > >>>> > >>>> You need to make sure that, through the combination of AJP > >>>> configuration, network configuratiom, etc. that this is the case. > >>>> > >>>> If you describe your particular use case, we people on this list > should > >>>> be able to provide you with recommended configuration options. > >>>> > >>>> Mark > >>>> > >>>> --------------------------------------------------------------------- > >>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >>>> For additional commands, e-mail: users-h...@tomcat.apache.org > >>>> > >>>> > >>> > >> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
