calder wrote:
We've never had occasion to use the password, because we disable shutdown (the better option).
Never did understand this Tomcat oddity. What other application is configured by default to open a tcp socket just to receive a shutdown command? Then there the default password, both of which, IMO, warrant a CVE. Would be far better i.e. more standards-based and secure, if the socket were an option and the default stop method was, like everything else, to use rc/init/service/systemctl/whatever. OTOH, a quick look at the startup, shutdown, catalina, ... scripts, much less their lack of reliability, makes a little clearer why some devops might want to avoid the shipped daemon control scripts. Roger Marquis --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org