tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Nicholson" <...@email.unc.edu>
Subject Re: hiding servlet URLs in JSPs
Date Wed, 04 Dec 2002 19:19:34 GMT
I don't know if it would work or not, but you might be able to "overwrite"
the invoker servlet by mapping your own servlet there.  One the would
basically do nothing, except maybe return an error page or exception.  Or
you could probably disable the invoker in CATALINA_HOME/conf/web.xml and
renable it in people's CATALINA_HOME/webapp/context/WEB-INF/web.xml.  But
I've never tried any of these.

Mike
----- Original Message -----
From: "Price, Erik" <eprice@ptc.com>
To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
Sent: Wednesday, December 04, 2002 11:57 AM
Subject: RE: hiding servlet URLs in JSPs




> -----Original Message-----
> From: Shapira, Yoav [mailto:Yoav.Shapira@mpi.com]
> Sent: Wednesday, December 04, 2002 10:49 AM
> To: Tomcat Users List
> Subject: RE: hiding servlet URLs in JSPs
>

> If you're running in a very security-aware environment
> (you're starting
> tomcat with the security manager, right? ;)), map all the servlets you
> need in web.xml.  Disable the invoker servlet mapping in
> $CATALINA_HOME/conf/web.xml.  Then all your form targets will be like
> /MyFormProcessingServlet, and you can put a filter in a chain prior to
> the form processor to validate form fields etc, and reject attacker
> inputs.

Is there a way to override the invoker servlet mapping in an individual
webapp's WEB-INF/web.xml file?  Even though you clearly explain in your
original message that this is set in $CATALINA_HOME/conf/web.xml, I just
hunted through my webapp's WEB-INF/web.xml looking for it and when I
didn't find it, I discovered it's in $CATALINA_HOME/conf/web.xml, and
I don't want to inconvenience other users of the system by disabling
this for all webapps, if possible.

In other words, can I turn this off on a per-webapp basis, or is the
only solution to have all other users add this to their individual
WEB-INF/web.xml files and remove it from $CATALINA_HOME/conf/web.xml ?



Thanks,

Erik

--
To unsubscribe, e-mail:
<mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail:
<mailto:tomcat-user-help@jakarta.apache.org>



--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message