-----Original Message----- From: André Warnier (tomcat/perl) <[email protected]> Sent: Monday, February 24, 2020 3:33 PM To: [email protected] Subject: Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat
On 24.02.2020 22:04, Christopher Schultz wrote: > With 8.5.51, requiredSecret is renamed "secret" but "requiredSecret" > is still an alias of the same configuration property. If #2 happens > after #1 above, then your actual secret will be the literal string > "true" (oops). > > We apologize for this confusion. We are trying to clarify things and > make them more secure. > Nobody is saying that the new configuration and attributes are not better, > from a security point of > view. The latest on-line documentation, when taken > in isolation, is also pretty clear and understandable. So people installing > tomcat for the first time should have no problem. > But I think that quite a few recent posts show that these changes could have > been made a bit more > visible for people who have running tomcats, and are > just updating from one minor version to the > next minor version. > Even the on-line documentation for the Connector, shows the current > attributes and defaults, but > without any mention that they have just > changed compared to the previous minor version. That has apparently caught a > lot of people unaware. > Now how to make this more noticeable, without also alerting the bad guys > about the pre-existing vulnerabilities, is probably not so easy.. > How about adding a note on top of the migration guide pages, saying : "If you > are just updating from 8.5.50 or lower, to 8.5.51 or higher, you *really* > should look at the AJP Connector attributes again". > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] My .02 worth, I would think that the configuration change would be on the Tomcat side, not the ISAPI Connector side as a new version of the Connector wasn't released, so everything would stay the same on the IIS side. Only the info in the server.xml would change, i.e. RequiredSecret to Secret, etc. Thanks, Dream * Excel * Explore * Inspire Jon McAlexander Asst Vice President Middleware Product Engineering Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions Upcoming PTO: 11/8, 11/11, 11/15, 11/22, 11/28, 11/29, 12/2, 12/6, 12/13, 12/20 – 12/31 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 [email protected] This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
