The well known default shutdown password ("SHUTDOWN") should be randomized and stored in the server.xml configuration file in place of the default. Anyone on localhost with knowledge of the password can cause a denial of service attack if the password is known. Right now, the current tomcat 5 ebuild makes the file readable only by the tomcat user, which is correct.
Java please advise.
tomcat-5.0.27-r6 and tomcat-5.0.28-r3 now replace the default pw with a random one, sorry for the delay but havnt recognized this one earlier
Thx Jan.