This idea appears to come from the Tomcat plugin, which is fine for development but I fail to see any benefit outside of a development environment. Even if there is a valid use case, such feature should be clearly documented and opt-in in a potential "production" package, here it's not even opt-out and I don't see any mention of it anywhere.
Sorry if I sound a bit bitter, don't be mistaken I am very grateful for your work and amazing open source contributions but finding such a big longstanding security hole that could have been easily avoided (e.g. by simply not adding this feature) is quite frustrating.
I had the very bad surprise to find an undocumented Tomcat kill switch port: https://github.com/grails-plugins/grails-standalone/blob/9e2e90290e63eb0676ca3dd5fadd5d9ee8b98280/src/runtime/grails/plugin/standalone/Launcher.java#L151
This idea appears to come from the Tomcat plugin, which is fine for development but I fail to see any benefit outside of a development environment. Even if there is a valid use case, such feature should be clearly documented and opt-in in a potential "production" package, here it's not even opt-out and I don't see any mention of it anywhere.
Sorry if I sound a bit bitter, don't be mistaken I am very grateful for your work and amazing open source contributions but finding such a big longstanding security hole that could have been easily avoided (e.g. by simply not adding this feature) is quite frustrating.