In light of the recent announcement, is securing Tomcat Manager with org.apache.catalina.valves.RemoteAddrValve enough if we are using 127.0.0.1 or should I consider changing the manager auth-method from BASIC to FORM and enable HTTPS as well? Is running Tomcat as a Windows service considered "insecure"?
leo
