tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Budi Kurniawan <bu...@cse.unsw.EDU.AU>
Subject Re: Security threat with enabling invoker servlet in 4.1.12
Date Mon, 04 Nov 2002 10:12:08 GMT
Thanks Martin,
budi
On Mon, 4 Nov 2002, Martin Algesten wrote:

> The invoker servlet allows for anyone to call your servlets using their
> class names. This is not a problem as long as you are happy with that.
> In my case I have some internal servlets (used as a poor substitute for
> RMI) where I map the servlets to be under /internal/some.servlet  and
> then protect /internal/* in my Apache web server in front of Tomcat. I
> don't use the invoker servlet since I want to declare exactly how my
> servlets are to be accessed.
>
> Martin
>
> Budi Kurniawan wrote:
>
> >Hi,
> >
> >I've browsed the user list for this question but could not find the
> >answer. Apologies if this is not the right question for this list.
> >
> >The release note in 4.1.12 says that the invoker servlet is turned off in
> >the default web.xml for security reasons. However, in the examples
> >app's web.xml the invoker is on.
> >
> >My questions are:
> >1. What security threat is that?
> >2. If it is not safe to turn it on in the default web.xml, is it safe to
> >do so in the app web.xml?
> >
> >thx,
> >budi
> >
> >
> >--
> >To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> >For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>
> >
> >
> >
>
>
> --
> To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>
>



--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message