tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: [PROPOSAL] Remove the invoker servlet
Date Tue, 28 Oct 2008 17:26:15 GMT
Costin Manolache wrote:
> +0
> 
> I kind of liked the functionality ( i.e. write a servlet and have it 'just
> work', without web.xml ).
> And the annotations have their own problems ( scanning all the classes ).

V3 of the servlet spec should include the ability to add servlet and filter
mappings on the fly.


> But to turn this around to my favorite subject - wouldn't be better to
> exclude it from the
> release ? Maybe this and the CGI servlets and few others could go into an
> 'extras' jar,
> with stuff not required by the spec and not commonly used.

The main thing I don't like about it is the huge security hole it creates.
I'd much rather get rid of it completely (and the various bits of "check if
we are using the invoker here" code).

CGI, SSI and WebDAV should all be safe to package as separate jars. I'm not
in any great rush to make this change. If they get moved as part of your
refactoring - fine. If not, I'll get around to it at some point.

Mark

> 
> Costin
> 
> On Tue, Oct 28, 2008 at 3:56 AM, Mark Thomas <markt@apache.org> wrote:
> 
>> All,
>>
>> I'd like to remove the invoker servlet entirely from trunk (and hence TC7.x
>> onwards) and deprecate it in 6.0.x.
>>
>> Any objections?
>>
>> Mark
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>>
> 



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message