On 19/02/2020 09:02, Martin Grigorov wrote:
> Hi,
> 
> On Wed, Feb 19, 2020 at 9:34 AM Friderike Hofmeister <
> friderike.hofmeis...@mbsupport.de> wrote:
> 
>> Chris,
>>
>> strange, as I thought I specified secretRequired="false" and so don't need
>> any secret, but anyway:
>> that's it -- Thank you!
>>
>> Now without secret="" and without mod_jk everything works fine.
>>
> 
> In this case do we need to check whether the secret is required at
> https://github.com/apache/tomcat/blob/81cfd2dc665db684b1fba0de5af4d08102dc50fb/java/org/apache/coyote/ajp/AjpProcessor.java#L844-L849
> before
> setting the error status ?
> mod_proxy sends a secret but Tomcat is configured to not use/require it

The scenario where both secret is set and secretRequired="false" is a
configuration error. We should probably fail safe in that scenario but
there are various options for doing that.

We also need to consider what happens as Tomcat starts and if changes
are made to the AJP connector while it is running.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to