On 24.02.2020 22:04, Christopher Schultz wrote:
With 8.5.51, requiredSecret is renamed "secret" but "requiredSecret"
is still an alias of the same configuration property. If #2 happens
after #1 above, then your actual secret will be the literal string
"true" (oops).
We apologize for this confusion. We are trying to clarify things and
make them more secure.
Nobody is saying that the new configuration and attributes are not better, from a security
point of view. The latest on-line documentation, when taken in isolation, is also pretty
clear and understandable. So people installing tomcat for the first time should have no
problem.
But I think that quite a few recent posts show that these changes could have been made a
bit more visible for people who have running tomcats, and are just updating from one minor
version to the next minor version.
Even the on-line documentation for the Connector, shows the current attributes and
defaults, but without any mention that they have just changed compared to the previous
minor version. That has apparently caught a lot of people unaware.
Now how to make this more noticeable, without also alerting the bad guys about the
pre-existing vulnerabilities, is probably not so easy..
How about adding a note on top of the migration guide pages, saying : "If you are just
updating from 8.5.50 or lower, to 8.5.51 or higher, you *really* should look at the AJP
Connector attributes again".
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org