>> > Let's be prudent here. The standard configuration must avoid
>> > security hole. Many users will have tomcat in front and we
>> > must avoid someone outside shutdown their TC boxes.
>> Also if I'm not mistaken - Tomcat binds to all interfaces by
>default as I don't
>> see inet="" option set to 127.0.0.1 in default server.xml
>file for Ajp
>> connectors. I'll double check that:)
You're right. TC still use ajp12 at its default connector so it
listen all interface (which I agree could rise problem). I'm
using in my prod systems, ajp13 to connect webservers and
ajp12 only for the shutdown purpose (and listen only on localhost)
>Here is the same test but with slightly modified server.xml:
><Connector className="org.apache.tomcat.service.PoolTcpConnector">
> <Parameter name="handler"
value="org.apache.tomcat.service.connector.Ajp12ConnectionHandler"/>
> <Parameter name="port" value="8007"/>
> <Parameter name="inet" value="127.0.0.1"/>
></Connector>
Thanks to mention this one. The "inet" is not a well know and used param.
>Please note that port 8007 is bound to 127.0.0.1 interface _ONLY_.
The secure way.
>So if security of default settings is of any concern I'd
>suggest you, guys
>modify default server.xml file the way described above.
I understand your valid requirement, but why not just developp a
servlet in admin which use ajp12 to send (to localhost), the ajp12
shutdown command.
>Hope this helps :)
Yes, and I hope you'll take a look at the ajp14 proposal.......
