tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shapira, Yoav" <Yoav.Shap...@mpi.com>
Subject RE: Ttomcat 4.0.4 Configuration
Date Thu, 01 Aug 2002 13:19:54 GMT
Hi,
A couple of comments, hopefully helpful ;)

- You should package your classes.  If you don't, it'll look for them in
the default package of org.apache.jsp, where they aren't, hence they
error ;)

- It would be insecure, and bad style, to not import all and only the
classes you need in a given java program (servlet, jsp, whatever).  I've
seen so many problems arise from setups where people try to make classes
in some directory automatically imported.  It's really not worth your
time and effort to have something (a custom ClassLoader?  a watchdog
thread?) automatically load any class in WEB-INF/classes into memory.
Instead, make it a strict policy that all the files must import
precisely what they need.  A tool like import scrubber (on sourceforge)
can help with this in an automated fashion as well.

- What you call "JRun does not have that problem", I call (and have seen
exploited!) a serious security risk in JRun.  I believe it's fixed now,
by the way, and you have to declare classes in precisely in JRun as
well.

Yoav Shapira
Millennium ChemInformatics


>-----Original Message-----
>From: Mushtaq, Hassan [mailto:MushtaqH@cl.uh.edu]
>Sent: Wednesday, July 31, 2002 6:53 PM
>To: 'Tomcat Users List'
>Subject: RE: Ttomcat 4.0.4 Configuration
>
>Thanks for your reply. But in question one, I meant what to do with
user
>defined classes? The tomcat does not pick user defined classes  from
>classes
>folder, I get an error if i dont import even a class written by me,
like
>for
>example I have a class MyClass, I put it under classes folder, then
still I
>have to write <%@ page import=MyClass%> to make it work, otherwise it
says
>that org.apache.jsp.MyClass cannot be found. While I have used JRun
server
>before, it does not have that problem, it picks from lib folder or
classes
>folder as well. Thanks.
>
>
>Hassan Mushtaq
>
UHCL
>
>
>
>-----Original Message-----
>From: Sullivan, Mark E [mailto:Mark.Sullivan@nav-international.com]
>Sent: Wednesday, July 31, 2002 5:34 PM
>To: 'Tomcat Users List'
>Subject: RE: Ttomcat 4.0.4 Configuration
>
>
>
>
>> -----Original Message-----
>> From: Mushtaq, Hassan [mailto:MushtaqH@cl.uh.edu]
>> Sent: Wednesday, July 31, 2002 5:34 PM
>> To: 'tomcat-user@jakarta.apache.org'
>> Subject: Ttomcat 4.0.4 Configuration
>>
>>
>> Hi, I have two questions:
>>
>> 1. Can I configure tomcat somehow that if we put some class file in
>> WEB-INF/classes folder we do not have to write page import staement?
>> whatever in the classes should be visible to jsp page directly.
>
>the page import statements can be thought of as declaring a namespace.
For
>example, instead of using
>
><%@ page import = "java.util.ArrayList" %>
><% ArrayList al = new ArrayList(); %>
>
>You could not use the page import and just do
>
><% java.util.ArrayList al = new java.util.ArrayList(); %>
>
>Tomcat really has nothing to do with this, it's just how java works.
>
>
>
>>
>> 2. How can I configure tomcat in such a was that
>> WEB-INF/classes folder
>> should be for servlets only and user classes and beans should go to
>> WEB-INF/lib folder? When someone puts a class in classes
>> folder that is not
>> servlet and tries to run it, the tomcat should give 404 (page
>> not found)
>> error.
>
>tomcat will throw an internal error (maybe a 404) if someone trys to do
>this, unless the class extends HttpServlet ( hence making it a
servlet),
>because tomcat is looking for that interface on the class. That will
keep
>non-servlets out of the classes directory. As far as keeping servlets
out
>of
>the lib directory, i don't think there is any way to do that. If you do
not
>let them change the web.xml file for the webapp, they will not be able
to
>get at their servlet anyways. This is probably the only way to restrict
>something like that.
>
>
>
>
>>
>> Thanks.
>>
>> 	Hassan Mushtaq
>> 	Research Assisstant at University of Houston Clearlake
>>
>> --
>> To unsubscribe, e-mail:
>> <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
>> For additional commands, e-mail:
>> <mailto:tomcat-user-help@jakarta.apache.org>
>>
>
>--
>To unsubscribe, e-mail:
><mailto:tomcat-user-unsubscribe@jakarta.apache.org>
>For additional commands, e-mail:
><mailto:tomcat-user-help@jakarta.apache.org>
>
>--
>To unsubscribe, e-mail:   <mailto:tomcat-user-
>unsubscribe@jakarta.apache.org>
>For additional commands, e-mail: <mailto:tomcat-user-
>help@jakarta.apache.org>


--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message