Since r1734267 a RemoteAddrValve.is configured by default in Manager and HostManager web applications. This feature is present in 9.0.0.M4 and 8.5.0 onwards. 1) http://tomcat.apache.org/tomcat-9.0-doc/security-howto.html#Securing_Management_Applications says: [quote] Uncomment the RemoteAddrValve in /META-INF/context.xml which limits access to localhost. [/quote] The quoted text has to be updated. 1. Maybe s/Uncomment the/Configure a/. 2. Maybe link to config/context.html, as Context configuration can also be conf/Catalina/localhost/<appname>.xml, or link to Manager documentation that has a more complete instruction. http://tomcat.apache.org/tomcat-9.0-doc/manager-howto.html#Configuring_Manager_Application_Access 3. Link to RemoteAddrValve documentation is broken, as target section was renamed in r1642588. s/valve.html#Remote_Address_Filter/valve.html#Remote_Address_Valve/ or /valve.html#Access_Control/ 2) Maybe mention this change in Tomcat 8.5 and 9.0 Migration Guides.
Fixed in 9.0.x for 9.0.0.M9 onwards and in 8.5.x for 8.5.4 onwards. The migration section of the main web site has also been updated.