On 13.02.20 11:17, Olaf Kock wrote: > On 13.02.20 10:36, kohm...@iris.eonet.ne.jp wrote: >> On 2020/02/13 18:25, André Warnier (tomcat/perl) wrote: >>> Check in the file (tomcat_dir)/conf/server.xml, the Connector : >>> >>> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> >> The setting is the same as mine. >> >> I have use server.xml used in 8.5.50. In case of 8.5.50, I have no >> problem. >> >> Please notice, I have been using Tomcat for 5 years with updates. >> Why this time? > > Because this time, security relevant defaults changed: See these recent > commits on the git mirror: > > https://github.com/apache/tomcat/commit/b962835f98b905286b78c414d5aaec2d0e711f75#diff-8dc0090e11bd1ca2caa389bb79d52262 > > https://github.com/apache/tomcat/commit/2becbfd3228942a18b663ca715ee9c9b80743120#diff-8dc0090e11bd1ca2caa389bb79d52262
Or, even better digestible (I hit 'send' too early): Mark's announcement of the availability contained: > - AJP defaults changed to listen the loopback address, require a secret and to be disabled in the sample server.xml And the changelog on http://tomcat.apache.org/tomcat-8.5-doc/changelog.html for 8.5.51 contains this information on AJP: * Update: Disable (comment out in server.xml) the AJP/1.3 connector by default. (markt) * Update: Change the default bind address for the AJP/1.3 connector to be the loopback address. (markt) * Add: Rename the |requiredSecret| attribute of the AJP/1.3 Connector to |secret| and add a new attribute |secretRequired| that defaults to |true|. When |secretRequired| is |true| the AJP/1.3 Connector will not start unless the |secret| attribute is configured to a non-null, non-zero length String. (markt) * Add: Add a new attribute, |allowedRequestAttributesPattern| to the AJP/1.3 Connector. Requests with unrecognised attributes will be blocked with a 403. (markt) There's also a discussion on the "Re: [ANN] Apache Tomcat 9.0.31 available" thread on this changed default that might give you some background. I hope, this helps, Olaf
