On 14/02/2020 15:56, John Larsen wrote: > From my testing. > > secretRequired="false" is still needed though docs says its deprecated in > favor of just secret.
Not correct. You are confusing requiredSecret (which has been deprecated in favour of secret) with secretRequired. > I also had to change the worker from host=localhost to host=127.0.0.1 That suggests that localhost resolves to something other than 127.0.0.1 > Also AJP13 connector protocol block is commented out where it never was > before. > > I'd prefer acceptance of localhost by default and then add secret for > remote ajp servers. While that might be secure enough by default for your use case it isn't secure enough by default for those users when not all users with the ability to log on to the host are considered trusted. Mark > > John Larsen > > On Fri, Feb 14, 2020 at 7:37 AM Mark Thomas <ma...@apache.org> wrote: > >> On 14/02/2020 14:21, John Larsen wrote: >>> I apologize - coffee started to kick in. The address="::1" portion is >>> commented out. >>> >>> Will adding secret="false"? in the server.xml bypass this issue? >>> >>> <Connector protocol="AJP/1.3" port="8080" secret="false" >>> redirectPort="8443" /> >> >> That will give you an AJP connector that is only listening on the >> loopback interface. >> >> Mark >> >> >>> >>> Thanks, >>> >>> John Larsen >>> >>> On Fri, Feb 14, 2020 at 6:52 AM Mark Thomas <ma...@apache.org> wrote: >>> >>>> On 14/02/2020 13:45, John Larsen wrote: >>>>> Seems tomcat 9.0.31 has thrown me a curve and messed up my automation. >>>>> >>>>> Where can i understand this change better? >>>>> "Rename the requiredSecret attribute of the AJP/1.3 Connector to secret >>>> and >>>>> add a new attribute secretRequired that defaults to true. When >>>>> secretRequired is truethe AJP/1.3 Connector will not start unless the >>>> secret >>>>> attribute is configured to a non-null, non-zero length String. >> (markt)" >>>>> >>>>> Or can i just change this to false? What it its purpose? >>>> >>>> The purpose of that attribute is to stop you starting up Tomcat with an >>>> AJP connector that is open to the world without stopping to think first. >>>> >>>> AJP assumes all connecting clients are trusted. >>>> >>>> You need to make sure that, through the combination of AJP >>>> configuration, network configuratiom, etc. that this is the case. >>>> >>>> If you describe your particular use case, we people on this list should >>>> be able to provide you with recommended configuration options. >>>> >>>> Mark >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>> >>>> >>> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
