tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Algesten <mar...@taglab.com>
Subject Re: Security threat with enabling invoker servlet in 4.1.12
Date Mon, 04 Nov 2002 09:16:04 GMT
The invoker servlet allows for anyone to call your servlets using their 
class names. This is not a problem as long as you are happy with that. 
In my case I have some internal servlets (used as a poor substitute for 
RMI) where I map the servlets to be under /internal/some.servlet  and 
then protect /internal/* in my Apache web server in front of Tomcat. I 
don't use the invoker servlet since I want to declare exactly how my 
servlets are to be accessed.

Martin

Budi Kurniawan wrote:

>Hi,
>
>I've browsed the user list for this question but could not find the
>answer. Apologies if this is not the right question for this list.
>
>The release note in 4.1.12 says that the invoker servlet is turned off in
>the default web.xml for security reasons. However, in the examples
>app's web.xml the invoker is on.
>
>My questions are:
>1. What security threat is that?
>2. If it is not safe to turn it on in the default web.xml, is it safe to
>do so in the app web.xml?
>
>thx,
>budi
>
>
>--
>To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
>For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>
>
>  
>


--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message