https://bz.apache.org/bugzilla/show_bug.cgi?id=60674
--- Comment #1 from Christopher Schultz <ch...@christopherschultz.net> --- (In reply to Ralf Hauser from comment #0) > 1) why is the class "final"? > ==> pls remove that Interesting: it's been final since the class was first introduced. markt would have to comment on that decision. My guess is that, since this is a security-related class, it's best to have the configuration as immutable as possible. > Similarly, please make the variables like allowedHttpHeaders "protected" > instead of "private final" or is there some "rationale" behind this (coding > guidelines mandating this)? See above. Rather than making the members protected, there should be a protected constructor, and the fields can therefore remain final. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org