Return-Path: Delivered-To: apmail-jakarta-tomcat-user-archive@apache.org Received: (qmail 43779 invoked from network); 26 Sep 2002 10:38:48 -0000 Received: from unknown (HELO nagoya.betaversion.org) (192.18.49.131) by daedalus.apache.org with SMTP; 26 Sep 2002 10:38:48 -0000 Received: (qmail 5815 invoked by uid 97); 26 Sep 2002 10:39:09 -0000 Delivered-To: qmlist-jakarta-archive-tomcat-user@jakarta.apache.org Received: (qmail 5799 invoked by uid 97); 26 Sep 2002 10:39:08 -0000 Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Users List" Reply-To: "Tomcat Users List" Delivered-To: mailing list tomcat-user@jakarta.apache.org Received: (qmail 5787 invoked by uid 98); 26 Sep 2002 10:39:08 -0000 X-Antivirus: nagoya (v4218 created Aug 14 2002) X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Subject: RE: tomcat 4.0.5 not serving HTML pages Date: Thu, 26 Sep 2002 06:38:26 -0400 Message-ID: <8D966D6B75EB7F47AA300241BF2E1D0C0930B6@merc17.na.sas.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: tomcat 4.0.5 not serving HTML pages Thread-Index: AcJlMRvaqdgiZkk1TqyqAe/bWrt3jwAFqSfg From: "Larry Isaacs" To: "Tomcat Users List" X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Also, if you need ".../servlet/" to invoke a particular servlet, you can include a servlet mapping with "/servlet/" as the to emulate "invoker" for that servlet. This would avoid enabling "invoker" and exposing all servlets. Cheers, Larry > -----Original Message----- > From: Bill Barker [mailto:res0ob23@verizon.net]=20 > Sent: Thursday, September 26, 2002 3:55 AM > To: tomcat-user@jakarta.apache.org > Subject: Re: tomcat 4.0.5 not serving HTML pages >=20 >=20 >=20 > "Mona Wong-Barnum" wrote in message > news:200209260000.g8Q003317163@eggshell.ucsd.edu... > > > > Sorry, I'm a moron, I commented out the wrong section in=20 > web.xml for the > > vulnerability (: > > > > All is well, 4.0.5 is now working for me. > > > > With 4.0.5, does it matter if the section in web.xml about=20 > the invoker > > is commented out or not? >=20 > Disabling the Invoker provides extra security against similar exploits > (although those would involve your classes, not Tomcat's [which are > checked]). Of course, if you are using URLs of the form > , then you need the=20 > Invoker. In > this case, you need to enable the Invoker, and make certain=20 > that none of > your classes (not restricted to servlets) reveal information=20 > if invoked by > http://myserver/myapp/servlet/edu.ucsd.mypackage.myclass. >=20 > > > > Cheers, > > > > Mona > > > > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > Mona Wong-Barnum > > National Center for Microscopy and Imaging Research > > University of California, San Diego > > http://ncmir.ucsd.edu/ > > > > "The truth shall set you free, but first it will piss you off" > > A Landmark instructor > > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >=20 >=20 >=20 >=20 >=20 > -- > To unsubscribe, e-mail: =20 > unsubscribe@jakarta.apache.org> > For=20 > additional commands,=20 > e-mail: >=20 >=20 -- To unsubscribe, e-mail: For additional commands, e-mail: