On 14/02/2020 16:04, John Larsen wrote: > Thanks for the info. Will this change be backported to 8.5 and 7?
It already has been. Mark > > John Larsen > > > > On Fri, Feb 14, 2020 at 9:03 AM Mark Thomas <ma...@apache.org> wrote: > >> On 14/02/2020 15:56, John Larsen wrote: >>> From my testing. >>> >>> secretRequired="false" is still needed though docs says its deprecated in >>> favor of just secret. >> >> Not correct. >> >> You are confusing requiredSecret (which has been deprecated in favour of >> secret) with secretRequired. >> >>> I also had to change the worker from host=localhost to host=127.0.0.1 >> >> That suggests that localhost resolves to something other than 127.0.0.1 >> >>> Also AJP13 connector protocol block is commented out where it never was >>> before. >>> >>> I'd prefer acceptance of localhost by default and then add secret for >>> remote ajp servers. >> >> While that might be secure enough by default for your use case it isn't >> secure enough by default for those users when not all users with the >> ability to log on to the host are considered trusted. >> >> Mark >> >> >>> >>> John Larsen >>> >>> On Fri, Feb 14, 2020 at 7:37 AM Mark Thomas <ma...@apache.org> wrote: >>> >>>> On 14/02/2020 14:21, John Larsen wrote: >>>>> I apologize - coffee started to kick in. The address="::1" portion is >>>>> commented out. >>>>> >>>>> Will adding secret="false"? in the server.xml bypass this issue? >>>>> >>>>> <Connector protocol="AJP/1.3" port="8080" secret="false" >>>>> redirectPort="8443" /> >>>> >>>> That will give you an AJP connector that is only listening on the >>>> loopback interface. >>>> >>>> Mark >>>> >>>> >>>>> >>>>> Thanks, >>>>> >>>>> John Larsen >>>>> >>>>> On Fri, Feb 14, 2020 at 6:52 AM Mark Thomas <ma...@apache.org> wrote: >>>>> >>>>>> On 14/02/2020 13:45, John Larsen wrote: >>>>>>> Seems tomcat 9.0.31 has thrown me a curve and messed up my >> automation. >>>>>>> >>>>>>> Where can i understand this change better? >>>>>>> "Rename the requiredSecret attribute of the AJP/1.3 Connector to >> secret >>>>>> and >>>>>>> add a new attribute secretRequired that defaults to true. When >>>>>>> secretRequired is truethe AJP/1.3 Connector will not start unless the >>>>>> secret >>>>>>> attribute is configured to a non-null, non-zero length String. >>>> (markt)" >>>>>>> >>>>>>> Or can i just change this to false? What it its purpose? >>>>>> >>>>>> The purpose of that attribute is to stop you starting up Tomcat with >> an >>>>>> AJP connector that is open to the world without stopping to think >> first. >>>>>> >>>>>> AJP assumes all connecting clients are trusted. >>>>>> >>>>>> You need to make sure that, through the combination of AJP >>>>>> configuration, network configuratiom, etc. that this is the case. >>>>>> >>>>>> If you describe your particular use case, we people on this list >> should >>>>>> be able to provide you with recommended configuration options. >>>>>> >>>>>> Mark >>>>>> >>>>>> --------------------------------------------------------------------- >>>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>>>> >>>>>> >>>>> >>>> >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>> >>>> >>> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
