Stafan,
On 2/13/20 14:56, Stefan Mayr wrote:
Hi Chris,
Am 13.02.2020 um 15:31 schrieb Christopher Schultz:
[snip]
The answer to the question "why change the default?" is: "because the
default was essentially insecure, in a way that wasn't obvious to
someone who wasn't paying close attention."
On 13/02/2020 19:56, Stefan Mayr wrote:
> Hi Chris,
>
> Am 13.02.2020 um 15:31 schrieb Christopher Schultz:
>> [snip]
>> The answer to the question "why change the default?" is: "because the
>> default was essentially insecure, in a way that wasn't obvious to
>> someone who wasn't paying close att
Hi Chris,
Am 13.02.2020 um 15:31 schrieb Christopher Schultz:
> [snip]
> The answer to the question "why change the default?" is: "because the
> default was essentially insecure, in a way that wasn't obvious to
> someone who wasn't paying close attention."
>
> So we are forcing users to pay close
On 13/02/2020 15:31, Christopher Schultz wrote:
My question would be "why do so many have AJP connectors where no
'address' attribute was specifically configured?"
The answer to the question "why change the default?" is: "because the
default was essentially insecure, in a way that wasn't obvio
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Peter,
On 2/13/20 5:05 AM, logo wrote:
>
>
> Am 2020-02-13 10:57, schrieb Olivier Jaquemet:
>> On 13/02/2020 10:32, Rémy Maucherat wrote:
>>> On Thu, Feb 13, 2020 at 9:33 AM Olivier Jaquemet wrote:
On 13/02/2020 01:02, Stefan Mayr wrote:
From: Mark Thomas mailto:ma...@apache.org>>
Date: Thursday, Feb 13, 2020, 7:38 AM
To: users@tomcat.apache.org
mailto:users@tomcat.apache.org>>
Subject: Re: [ANN] Apache Tomcat 9.0.31 available
On 13/02/2020 12:42, jonmcalexan...@wellsfargo.com.INVALID wrote:
> Can you sti
On 13/02/2020 12:42, jonmcalexan...@wellsfargo.com.INVALID wrote:
> Can you still use a shared secret, if desired, while “
> You can specify "0.0.0.0" (IPv4) or "::" (IPv6) to restore the behaviour
> of listening on any address
> “
Yes.
Use (or not) of a secret is independent of the listening
From: Mark Thomas mailto:ma...@apache.org>>
Date: Thursday, Feb 13, 2020, 5:41 AM
To: users@tomcat.apache.org
mailto:users@tomcat.apache.org>>
Subject: Re: [ANN] Apache Tomcat 9.0.31 available
On 13/02/2020 09:57, Olivier Jaquemet wrote:
> On 13/02/2020 10:32, Rémy Maucherat w
On 13/02/2020 12:04, Olivier Jaquemet wrote:
>
> On 13/02/2020 12:41, Mark Thomas wrote:
>> On 13/02/2020 09:57, Olivier Jaquemet wrote:
>>> I understand the need to introduce a "secured by default" AJP
>>> configuration.
>>> However, I question one choice that was made for this change : the
>>> d
On Thu, Feb 13, 2020 at 1:04 PM Olivier Jaquemet <
olivier.jaque...@jalios.com> wrote:
>
> On 13/02/2020 12:41, Mark Thomas wrote:
> > On 13/02/2020 09:57, Olivier Jaquemet wrote:
> >> I understand the need to introduce a "secured by default" AJP
> >> configuration.
> >> However, I question one ch
On 13/02/2020 12:41, Mark Thomas wrote:
On 13/02/2020 09:57, Olivier Jaquemet wrote:
I understand the need to introduce a "secured by default" AJP
configuration.
However, I question one choice that was made for this change : the
default behavior of the AJP connector to listen only on the loopb
On 13/02/2020 09:57, Olivier Jaquemet wrote:
> On 13/02/2020 10:32, Rémy Maucherat wrote:
>> On Thu, Feb 13, 2020 at 9:33 AM Olivier Jaquemet wrote:
>>> On 13/02/2020 01:02, Stefan Mayr wrote:
> - AJP defaults changed to listen the loopback address, require a
> secret
> and to be di
On 13.02.2020 11:05, logo wrote:
Am 2020-02-13 10:57, schrieb Olivier Jaquemet:
On 13/02/2020 10:32, Rémy Maucherat wrote:
On Thu, Feb 13, 2020 at 9:33 AM Olivier Jaquemet wrote:
On 13/02/2020 01:02, Stefan Mayr wrote:
- AJP defaults changed to listen the loopback address, require a secre
Am 2020-02-13 10:57, schrieb Olivier Jaquemet:
On 13/02/2020 10:32, Rémy Maucherat wrote:
On Thu, Feb 13, 2020 at 9:33 AM Olivier Jaquemet wrote:
On 13/02/2020 01:02, Stefan Mayr wrote:
- AJP defaults changed to listen the loopback address, require a
secret
and to be disabled in the sa
On 13/02/2020 10:32, Rémy Maucherat wrote:
On Thu, Feb 13, 2020 at 9:33 AM Olivier Jaquemet wrote:
On 13/02/2020 01:02, Stefan Mayr wrote:
- AJP defaults changed to listen the loopback address, require a secret
and to be disabled in the sample server.xml
[snip]
Am I correct ? Why such a c
On 2020/02/13 18:32, Rémy Maucherat wrote:
It is obviously best to keep default configurations as stable as possible.
But sometimes things have to change ... As a result, you'll indeed need to
adjust your server.xml according to your deployment and AJP usage.
The documentation for the new attrib
On Thu, Feb 13, 2020 at 9:33 AM Olivier Jaquemet <
olivier.jaque...@jalios.com> wrote:
> On 13/02/2020 01:02, Stefan Mayr wrote:
> > Hi,
> >
> >> - AJP defaults changed to listen the loopback address, require a secret
> >>and to be disabled in the sample server.xml
> > What was the motivation
On 13/02/2020 01:02, Stefan Mayr wrote:
Hi,
- AJP defaults changed to listen the loopback address, require a secret
and to be disabled in the sample server.xml
What was the motivation behind this breaking change to require a secret
or to explitly disable it? What makes an open AJP connector
Hi,
> - AJP defaults changed to listen the loopback address, require a secret
> and to be disabled in the sample server.xml
What was the motivation behind this breaking change to require a secret
or to explitly disable it? What makes an open AJP connector more unsafe
than an open HTTP connector
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 9.0.30.
Apache Tomcat 9 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language, Java
WebSocket and JASPIC technologies.
Apache Tomcat 9.0.31 is a bugfix and feat
20 matches
Mail list logo