tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Algesten <>
Subject Re: Security threat with enabling invoker servlet in 4.1.12
Date Mon, 04 Nov 2002 09:16:04 GMT
The invoker servlet allows for anyone to call your servlets using their 
class names. This is not a problem as long as you are happy with that. 
In my case I have some internal servlets (used as a poor substitute for 
RMI) where I map the servlets to be under /internal/some.servlet  and 
then protect /internal/* in my Apache web server in front of Tomcat. I 
don't use the invoker servlet since I want to declare exactly how my 
servlets are to be accessed.


Budi Kurniawan wrote:

>I've browsed the user list for this question but could not find the
>answer. Apologies if this is not the right question for this list.
>The release note in 4.1.12 says that the invoker servlet is turned off in
>the default web.xml for security reasons. However, in the examples
>app's web.xml the invoker is on.
>My questions are:
>1. What security threat is that?
>2. If it is not safe to turn it on in the default web.xml, is it safe to
>do so in the app web.xml?
>To unsubscribe, e-mail:   <>
>For additional commands, e-mail: <>

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message