tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Larry Isaacs" <Larry.Isa...@sas.com>
Subject RE: tomcat 4.0.5 not serving HTML pages
Date Thu, 26 Sep 2002 10:38:26 GMT
Also, if you need ".../servlet/<class>" to invoke a particular
servlet, you can include a servlet mapping with "/servlet/<class>"
as the <url-pattern> to emulate "invoker" for that servlet.
This would avoid enabling "invoker" and exposing all servlets.

Cheers,
Larry

> -----Original Message-----
> From: Bill Barker [mailto:res0ob23@verizon.net] 
> Sent: Thursday, September 26, 2002 3:55 AM
> To: tomcat-user@jakarta.apache.org
> Subject: Re: tomcat 4.0.5 not serving HTML pages
> 
> 
> 
> "Mona Wong-Barnum" <mona@eggshell.ucsd.edu> wrote in message
> news:200209260000.g8Q003317163@eggshell.ucsd.edu...
> >
> > Sorry, I'm a moron, I commented out the wrong section in 
> web.xml for the
> > vulnerability (:
> >
> > All is well, 4.0.5 is now working for me.
> >
> > With 4.0.5, does it matter if the section in web.xml about 
> the invoker
> > is commented out or not?
> 
> Disabling the Invoker provides extra security against similar exploits
> (although those would involve your classes, not Tomcat's [which are
> checked]).  Of course, if you are using URLs of the form
> <http://myserver/myapp/servlet/MyServlet>,  then you need the 
> Invoker.  In
> this case, you need to enable the Invoker, and make certain 
> that none of
> your classes (not restricted to servlets) reveal information 
> if invoked by
> http://myserver/myapp/servlet/edu.ucsd.mypackage.myclass.
> 
> >
> > Cheers,
> >
> > Mona
> >
> > ==================================================================
> > Mona Wong-Barnum
> > National Center for Microscopy and Imaging Research
> > University of California, San Diego
> > http://ncmir.ucsd.edu/
> >
> > "The truth shall set you free, but first it will piss you off"
> > A Landmark instructor
> > ==================================================================
> 
> 
> 
> 
> 
> --
> To unsubscribe, e-mail:   
> <mailto:tomcat-user-> unsubscribe@jakarta.apache.org>
> For 
> additional commands, 
> e-mail: <mailto:tomcat-user-help@jakarta.apache.org>
> 
> 

--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message