On 19/02/2020 09:02, Martin Grigorov wrote: > Hi, > > On Wed, Feb 19, 2020 at 9:34 AM Friderike Hofmeister < > friderike.hofmeis...@mbsupport.de> wrote: > >> Chris, >> >> strange, as I thought I specified secretRequired="false" and so don't need >> any secret, but anyway: >> that's it -- Thank you! >> >> Now without secret="" and without mod_jk everything works fine. >> > > In this case do we need to check whether the secret is required at > https://github.com/apache/tomcat/blob/81cfd2dc665db684b1fba0de5af4d08102dc50fb/java/org/apache/coyote/ajp/AjpProcessor.java#L844-L849 > before > setting the error status ? > mod_proxy sends a secret but Tomcat is configured to not use/require it
The scenario where both secret is set and secretRequired="false" is a configuration error. We should probably fail safe in that scenario but there are various options for doing that. We also need to consider what happens as Tomcat starts and if changes are made to the AJP connector while it is running. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org