Hi, > - AJP defaults changed to listen the loopback address, require a secret > and to be disabled in the sample server.xml
What was the motivation behind this breaking change to require a secret or to explitly disable it? What makes an open AJP connector more unsafe than an open HTTP connector? We have hundreds of Tomcats behind Apache httpd with mod_jk. My interpretation is that upgrading Tomcat 8.5 or 9.0 will break that setup until we disable the secret in all of them (or add a secret in mod_jk and Tomcat). I would understand that for a new major version 10.x but not in the lifecycle of an existing major version. Regards, Stefan --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
