tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Funk <funk...@joedog.org>
Subject Re: "Servlet unavailable" discussion
Date Sun, 01 Dec 2002 20:01:27 GMT
Its a security hole. Look at the archives for a more in depth explanation.

Personally, I hate the invoker servlet because
- it exposes the class name being used. Much harder to refactor your system.
- Doesn't require explicit definition of servlets. This makes 
maintenance very hard because there is no roadmap of servlet 
definitions. web.xml is nice for this.
- The absense of explicit declaration allows forgetful lazy programmers 
to keep old servlets around allowing for security leaks.
- Doesn't require explicit definition of servlets. Its worth saying a 
second time because I hate it that much.

-Tim


Paul Yunusov wrote:
> On Sunday 01 December 2002 01:55 pm, anywhere-info wrote:
> 
>>could you be you dint un-comment the invoker servlet in web.xml of ur
>>tomcat
>>
>>Paul Yunusov wrote:
>>
>>>Hello,
>>>
>>>I  was wondering what, in general, can cause a servlet to be "unavailable"
>>>as reported by a StandardWrapperValve of Tomcat 4.1.12.
>>>Thanks,
>>>Paul
>>>
>>>--
>>>To unsubscribe, e-mail:  
>>><mailto:tomcat-user-unsubscribe@jakarta.apache.org> For additional
>>>commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>
>>
> 
> Thanks for the comment. Are you refering to this entry in web.xml?
> 
> <servlet-mapping>
>     <servlet-name>invoker</servlet-name>
>     <url-pattern>/servlet/*</url-pattern>
> </servlet-mapping>
> 
> Individual mapping of the "/servlet/*" pattern to the invoker servlet for 
> every application seems to have been the default behavior in 4.0.x. Can 
> anyone explain, please, why it's changed to optional now?
> Paul
> 
> --
> To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>
> 
> 
> 


--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message