Curtis Garman wrote:
Is this something new for tomcat 6?...I was told there was a security vulnerability there with tomcat 5
Yes. At some point in time inversion 5.0 or 5.5 or 6.0, someone realised that if this "shutdown port" allowed connections from anywhere, there was a theoretical possibility that some miscreant, if he also knew the shutdown "password string" (the one indicated by the "shutdown" attribute), might send it just to be a pain and annoy everyone by shutting down Tomcat. That was when it was decided to only allow connections from localhost on that port, to restrict the attack surface. Of course, as long as they do not know this shutdown string (because you have changed it from the default), they cannot use this anyway.
--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
