Re: tomcat 4.0.5 not serving HTML pages
Mona Wong-Barnum [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Sorry, I'm a moron, I commented out the wrong section in web.xml for the vulnerability (: All is well, 4.0.5 is now working for me. With 4.0.5, does it matter if the section in web.xml about the invoker is commented out or not? Disabling the Invoker provides extra security against similar exploits (although those would involve your classes, not Tomcat's [which are checked]). Of course, if you are using URLs of the form http://myserver/myapp/servlet/MyServlet, then you need the Invoker. In this case, you need to enable the Invoker, and make certain that none of your classes (not restricted to servlets) reveal information if invoked by http://myserver/myapp/servlet/edu.ucsd.mypackage.myclass. Cheers, Mona == Mona Wong-Barnum National Center for Microscopy and Imaging Research University of California, San Diego http://ncmir.ucsd.edu/ The truth shall set you free, but first it will piss you off A Landmark instructor == -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: tomcat 4.0.5 not serving HTML pages
Bill Barker wrote: Mona Wong-Barnum [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Sorry, I'm a moron, I commented out the wrong section in web.xml for the vulnerability (: All is well, 4.0.5 is now working for me. With 4.0.5, does it matter if the section in web.xml about the invoker is commented out or not? Disabling the Invoker provides extra security against similar exploits (although those would involve your classes, not Tomcat's [which are checked]). Of course, if you are using URLs of the form http://myserver/myapp/servlet/MyServlet, then you need the Invoker. In this case, you need to enable the Invoker, and make certain that none of your classes (not restricted to servlets) reveal information if invoked by http://myserver/myapp/servlet/edu.ucsd.mypackage.myclass. Yes, the idea is that if you have a /foo/* URL mapping handled by a servlet, and a security constraint mapped to it, then you might have used /servlet/servlet_class/* to get around the security constraint. Of course, that's a rare case, but that's why the invoker is now disabled by default. Also, you can enable the invoker servlet in a particular webapp without enabling it in all webapps. See the examples webapp web.xml for the mapping to use. Remy -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: tomcat 4.0.5 not serving HTML pages
Also, if you need .../servlet/class to invoke a particular servlet, you can include a servlet mapping with /servlet/class as the url-pattern to emulate invoker for that servlet. This would avoid enabling invoker and exposing all servlets. Cheers, Larry -Original Message- From: Bill Barker [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 26, 2002 3:55 AM To: [EMAIL PROTECTED] Subject: Re: tomcat 4.0.5 not serving HTML pages Mona Wong-Barnum [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Sorry, I'm a moron, I commented out the wrong section in web.xml for the vulnerability (: All is well, 4.0.5 is now working for me. With 4.0.5, does it matter if the section in web.xml about the invoker is commented out or not? Disabling the Invoker provides extra security against similar exploits (although those would involve your classes, not Tomcat's [which are checked]). Of course, if you are using URLs of the form http://myserver/myapp/servlet/MyServlet, then you need the Invoker. In this case, you need to enable the Invoker, and make certain that none of your classes (not restricted to servlets) reveal information if invoked by http://myserver/myapp/servlet/edu.ucsd.mypackage.myclass. Cheers, Mona == Mona Wong-Barnum National Center for Microscopy and Imaging Research University of California, San Diego http://ncmir.ucsd.edu/ The truth shall set you free, but first it will piss you off A Landmark instructor == -- To unsubscribe, e-mail: mailto:tomcat-user- [EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: tomcat 4.0.5 not serving HTML pages
Make sure the DefaultServlet is still active, its the InvokerServlet that gets you into trouble. Read the text about it at: http://jakarta.apache.org/site/news.html#0924.1 --- Mona Wong-Barnum [EMAIL PROTECTED] wrote: Due to the recent security vulnerability, I've upgrade to 4.0.5. However, it now seems I cannot see any of my HTML pages! I am getting the tomcat 404 error page. I copied over my previous 4.0.4 conf/server.xml in which I have: !-- Tomcat Root Context -- Context path= docBase=/scratch/project/tomcat debug=0 /Context Context path=/ccdb docBase=/scratch/project/telescience/webapps/ccdb debug=0 reloadable=true /Context !-- Tomcat Manager Context -- Context path=/manager docBase=/scratch/project/tomcat/manager debug=0 privileged=true/ HTML pages that use to work now don't. Uh, anyone else upgraded? Any help is appreciated. Sincerely, Mona == Mona Wong-Barnum National Center for Microscopy and Imaging Research University of California, San Diego http://ncmir.ucsd.edu/ The truth shall set you free, but first it will piss you off A Landmark instructor == -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] __ Do you Yahoo!? New DSL Internet Access from SBC Yahoo! http://sbc.yahoo.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: tomcat 4.0.5 not serving HTML pages
Sorry, my initial reply got filtered by some kind of language censor. Anyway, you need to make sure that your /conf/web.xml has the DefaultServlet active. The DefaultServlet is responsible for serving static content. The most recent version of Tomcat tinkers a bit with the InvokerServlet, which when used in combo. w/ the DefaultServlet can give a web browser unprocessed JSP source. That, to me, is the best explaination of why you suddenly cannot serve static content, and if you uninstalled then reinstalled, your /conf/web.xml is not overwritten, so that is probably the cause. Hope that helps! --- Mona Wong-Barnum [EMAIL PROTECTED] wrote: I went back to my previous 4.0.4 version and it is now not serving my HTML pages either! This was working before ... The JSPs are served fine though. All help is appreciated. thanks, Mona == Mona Wong-Barnum National Center for Microscopy and Imaging Research University of California, San Diego http://ncmir.ucsd.edu/ The truth shall set you free, but first it will piss you off A Landmark instructor == -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] __ Do you Yahoo!? New DSL Internet Access from SBC Yahoo! http://sbc.yahoo.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
