David Jencks wrote: > When I wrote the jetty deployer I studied the spec and could not find > any support for this kind of dynamic servlet that isn't listed in > web.xml, so I didn't try to put any in. If someone has a good argument > that it is consistent with the spec (I thought it was not), we could > try something. We might be able to use another default servlet like > the static content one. If we do this I think we need a way to turn it > on and off: this seems like it will lead us to having the deployer know > about all or many of the default servlets, something I am not entirely > thrilled with. > thanks > david jencks
+1. The invoker is not a very secure mechanism - it allows any servlet on the classpath to be run - even if you have not configured it. It is hard to know exactly all the servlets that may lurk on a classpath or even to know what the full classpath is. Jetty and Tomcat by default have the invoker servlet turned off and nobody every complains (to Jetty anyway). So I would suggest either living with the warning or removing the invoker mapping from the demos. Also might be an idea to check the tomcat deployer - because either it is suppressing a warning or it has the invoker servlet configured by default. neither are optimal cheers
