The invoker servlet allows for anyone to call your servlets using their
class names. This is not a problem as long as you are happy with that.
In my case I have some internal servlets (used as a poor substitute for
RMI) where I map the servlets to be under /internal/some.servlet and
then protect /internal/* in my Apache web server in front of Tomcat. I
don't use the invoker servlet since I want to declare exactly how my
servlets are to be accessed.
Martin
Budi Kurniawan wrote:
>Hi,
>
>I've browsed the user list for this question but could not find the
>answer. Apologies if this is not the right question for this list.
>
>The release note in 4.1.12 says that the invoker servlet is turned off in
>the default web.xml for security reasons. However, in the examples
>app's web.xml the invoker is on.
>
>My questions are:
>1. What security threat is that?
>2. If it is not safe to turn it on in the default web.xml, is it safe to
>do so in the app web.xml?
>
>thx,
>budi
>
>
>--
>To unsubscribe, e-mail: <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
>For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>
>
>
>
--
To unsubscribe, e-mail: <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>
|