tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Invoker and Welcome page
Date Wed, 30 Mar 2016 23:21:56 GMT

On 3/30/16 5:14 PM, Federico Alvarez wrote:
> I'm using Tomcat 6.0.44 with Invoker Servlet, I know it is a bad
> idea/decision, but by now it is not in my reach to change that.

You are at risk of attack. That may change your stance on what is within
your reach.

> I'm using the ROOT webapp.
> What I need is to have a welcome page (index.htm) in the same
> directory I'm mapping with invoker.
> So, my WEB.XML looks like this:
> <servlet-mapping>
>   <servlet-name>invoker</servlet-name>
>   <url-pattern>/*</url-pattern>
> </servlet-mapping>

Can you enumerate the URLs you need to use the invoker with, and then
only map those using individual <url-pattern>s? If so, then all your
problems will likely go away.

> And my folder structure looks like this:
> Tomcat
>     Webapps
>         ROOT
>           index.htm
>           images
>              *.js, ...
>           WEB-INF
>              Web.xml
>              Classes
>                *.class, ...
> The idea is for a user to enter the URL:
> http://myserver:8080
> And have it [respond with] "index.htm", which will have a redirect to
> http://myserver:8080/loginpage.
> By now http://myserver:8080/loginpage is working, but not the
> welcome page.
> In Tomcat's WEB.XML the welcome page list is correctly defined, and
> removing the invoker mapping makes the welcome page work. Probably
> because it gets [handled] by the default [servlet]?


> It seems to me that one folder can only be [handled] by one [servlet],
> and
> that the invoker cannot be used with welcome pages. But maybe I'm wrong
> and there is a workaround.

No, the DefaultServlet handles welcome-files, and the invoker does
something different. By mapping the invoker servlet to "/*", you are
essentially disabling the DefaultServlet.

> If anyone has any idea of how to have this working it will be more
> than welcome.

If you can enumerate every servlet you expect to require the use of the
invoker, then you can simply map them separately like this:


This will also close the biggest security problem associated with the
invoker servlet.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message