tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GOMEZ Henri <>
Subject RE: Tomcat 3.2.2 beta 4 (insecure default settings)
Date Mon, 07 May 2001 12:11:35 GMT
>> > Let's be prudent here. The standard configuration must avoid 
>> > security hole. Many users will have tomcat in front and we
>> > must avoid someone outside shutdown their TC boxes. 

>> Also if I'm not mistaken - Tomcat binds to all interfaces by 
>default as I don't
>> see inet="" option set to in default server.xml 
>file for Ajp
>> connectors.  I'll double check that:)

You're right. TC still use ajp12 at its default connector so it
listen all interface (which I agree could rise problem). I'm
using in my prod systems, ajp13 to connect webservers and
ajp12 only for the shutdown purpose (and listen only on localhost)

>Here is the same test but with slightly modified server.xml:
><Connector className="org.apache.tomcat.service.PoolTcpConnector">
>	<Parameter name="handler"
>	<Parameter name="port" value="8007"/>
>	<Parameter name="inet" value=""/>

Thanks to mention this one. The "inet" is not a well know and used param.

>Please note that port 8007 is bound to interface _ONLY_.

The secure way.

>So if security of default settings is of any concern I'd 
>suggest you, guys
>modify default server.xml file the way described above.

I understand your valid requirement, but why not just developp a 
servlet in admin which use ajp12 to send (to localhost), the ajp12
shutdown command.

>Hope this helps :)

Yes, and I hope you'll take a look at the ajp14 proposal.......

View raw message