Thank you for your kind response to my mail.
I read the changinglog. I might understand the contents.

Thank you.

Yours truly,
Kazuhiko Kohmoto

On 2020/02/13 19:26, Olaf Kock wrote:
On 13.02.20 11:17, Olaf Kock wrote:
On 13.02.20 10:36, wrote:
On 2020/02/13 18:25, André Warnier (tomcat/perl) wrote:
Check in the file (tomcat_dir)/conf/server.xml, the Connector :

     <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
The setting is the same as mine.

I have use server.xml used in 8.5.50. In case of 8.5.50, I have no

Please notice, I have been using Tomcat for 5 years with updates.
Why this time?
Because this time, security relevant defaults changed: See these recent
commits on the git mirror:
Or, even better digestible (I hit 'send' too early):

Mark's announcement of the availability contained:

- AJP defaults changed to listen the loopback address, require a
secret and to be disabled in the sample server.xml

And the changelog on for 8.5.51
contains this information on AJP:

   * Update: Disable (comment out in server.xml) the AJP/1.3 connector by
     default. (markt)
   * Update: Change the default bind address for the AJP/1.3 connector to
     be the loopback address. (markt)
   * Add: Rename the |requiredSecret| attribute of the AJP/1.3 Connector
     to |secret| and add a new attribute |secretRequired| that defaults
     to |true|. When |secretRequired| is |true| the AJP/1.3 Connector
     will not start unless the |secret| attribute is configured to a
     non-null, non-zero length String. (markt)
   * Add: Add a new attribute, |allowedRequestAttributesPattern| to the
     AJP/1.3 Connector. Requests with unrecognised attributes will be
     blocked with a 403. (markt)

There's also a discussion on the "Re: [ANN] Apache Tomcat 9.0.31
available" thread on this changed default that might give you some

I hope, this helps,


To unsubscribe, e-mail:
For additional commands, e-mail:

Reply via email to