Re: JSP works, Servlet does not work
On Saturday 27 March 2004 17:07, Phillip Rhodes wrote: Robert Mazur wrote: SUMAMRY: JSP's work, but servlets give: HTTP Status 404 - /sampleapp/servlet/samplepackage.SampleServlet Offhand, this sounds like the problem people experience because newer versions of Tomcat ship with the Invoker servlet disabled by default. Take a look at this page, and see if this helps: http://www.cs.fiu.edu/~downeyt/cgs4825/context.html You can tell if this is the problem you're having if you define a servlet mapping in your web.xml and you can access your servlet that way, but accessing it using the /servlet/whatever url pattern fails. HTH.. otherwise, hopefully some of the more knowledgeable list members will chime in.. TTYL, Phil Phil and Doug, Thanks to you both for the help. I have it working now. Man, I am so psyched that I can stop beating my head against the wall. I was definately cruising down the wrong path in trying to fix this problem. Your posts saved me a lot of grief. So as Doug mentioned, leaving the invoker open as default can lead to evil. Is this because then Tomcat would be willing to invoke any old servlet that I cracker might manager to upload to your server? So all the mapping in web.xml is extra insurance that Tomcat will execute only what you want it to? If that is not the reason, could someone mention what else the reasons could be for the potential evil? Thanks guys! Rob - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JSP works, Servlet does not work
Robert, That's one. The other is if you have a servlet sitting in your app that should be called by another class. If the hacker gets lucky he could call this servlet with his own query/post from the URL and bypass any check/security you may have in the calling servlet. Now if the nonpublic servlet can access thing and return them to the client you could have a big hole for the hacker to look into your data with. Now with this in mind suppose the servlet can query a database using the querystring data and the database contains sensitive data. Hackers seem to have this unlimited amount of time to try thousands of combinations until they get a response. Once they figure out your structure your sunk. Look at all your servlets and ask what can they do if you call them directly. Can their use be twisted? Now let your imagination flow. Doug - Original Message - From: Robert Mazur [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Monday, March 29, 2004 10:30 AM Subject: Re: JSP works, Servlet does not work On Saturday 27 March 2004 17:07, Phillip Rhodes wrote: Robert Mazur wrote: SUMAMRY: JSP's work, but servlets give: HTTP Status 404 - /sampleapp/servlet/samplepackage.SampleServlet Offhand, this sounds like the problem people experience because newer versions of Tomcat ship with the Invoker servlet disabled by default. Take a look at this page, and see if this helps: http://www.cs.fiu.edu/~downeyt/cgs4825/context.html You can tell if this is the problem you're having if you define a servlet mapping in your web.xml and you can access your servlet that way, but accessing it using the /servlet/whatever url pattern fails. HTH.. otherwise, hopefully some of the more knowledgeable list members will chime in.. TTYL, Phil Phil and Doug, Thanks to you both for the help. I have it working now. Man, I am so psyched that I can stop beating my head against the wall. I was definately cruising down the wrong path in trying to fix this problem. Your posts saved me a lot of grief. So as Doug mentioned, leaving the invoker open as default can lead to evil. Is this because then Tomcat would be willing to invoke any old servlet that I cracker might manager to upload to your server? So all the mapping in web.xml is extra insurance that Tomcat will execute only what you want it to? If that is not the reason, could someone mention what else the reasons could be for the potential evil? Thanks guys! Rob - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JSP works, Servlet does not work
Parsons Technical Services wrote: Look at all your servlets and ask what can they do if you call them directly. Can their use be twisted? Now let your imagination flow. Gotta agree w/ Doug. The Invoker servlet has nasty connotations. I like having it turned on, just for development, as it can sometimes be a convenience. But for any externally exposed, production system, it probably should be turned off. Also, along those same lines... there's a train of thought that says it's bad because having URL patterns like /servlet/MyServlet tip off users as to what underlying technology your application uses. And while security through obscurity is somewhat frowned up, I agree that there's no point giving would be hackers any additional info for free. So with that in mind, you might want to consider the fact that you can remap all your URL patterns as you see fit. For example, you could configure Tomcat to use a .asp extension, instead of .jsp! Yeah it's only a minor advantage, but think about it.. if Joe Script Kiddie sees .asp or .aspx extensions on your site, he's going to start running IIS exploits against your site.. none of which are going to work if you're using standalone Tomcat, or Tomcat + different HTTP server. So maybe he gets bored and moves on to somebody else's server. Anyway, just something to think about... TTYL, Phil -- When the 1st Amendment no longer protects your voice. And when the 4th Amendment no longer protects your privacy or your stuff. Thank God we have the 2nd Amendment to tell our elected representatives that enough is enough. It's time to put ... from my cold, dead hands back where it belongs. FREE AMERICA Vote Libertarian www.lp.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JSP works, Servlet does not work
Robert Mazur wrote: SUMAMRY: JSP's work, but servlets give: HTTP Status 404 - /sampleapp/servlet/samplepackage.SampleServlet Offhand, this sounds like the problem people experience because newer versions of Tomcat ship with the Invoker servlet disabled by default. Take a look at this page, and see if this helps: http://www.cs.fiu.edu/~downeyt/cgs4825/context.html You can tell if this is the problem you're having if you define a servlet mapping in your web.xml and you can access your servlet that way, but accessing it using the /servlet/whatever url pattern fails. HTH.. otherwise, hopefully some of the more knowledgeable list members will chime in.. TTYL, Phil -- When the 1st Amendment no longer protects your voice. And when the 4th Amendment no longer protects your privacy or your stuff. Thank God we have the 2nd Amendment to tell our elected representatives that enough is enough. It's time to put ... from my cold, dead hands back where it belongs. FREE AMERICA Vote Libertarian www.lp.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JSP works, Servlet does not work
Robert, As Phillip said you have just met the Ghost of Invoker Past. Short story is that it can be used for evil thus commented out. Short fix is to uncomment it. But as you did try the correct way you tried to add mappings, I say good for you and don't give up yet. No to fix your problem. You have that you added: servlet servlet-nameSampleServlet/servlet-name servlet-classsamplepackage.SampleServlet/servlet-class /servlet If this is all you put in then your problem is you are missing the second part. Here is an example of a working web.xml. ?xml version=1.0 encoding=UTF-8? !DOCTYPE web-app PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.2//EN http://java.sun.com/j2ee/dtds/web-app_2_2.dtd; web-app id=WebApp display-namedeath/display-name servlet servlet-nameInfo/servlet-name display-nameInfo/display-name servlet-classreeper.Info/servlet-class /servlet servlet servlet-nameSelect/servlet-name display-nameSelect/display-name servlet-classreeper.Select/servlet-class /servlet servlet servlet-namePlaying/servlet-name display-namePlaying/display-name servlet-classreeper.Playing/servlet-class /servlet servlet servlet-nameScores/servlet-name display-nameScores/display-name servlet-classreeper.Scores/servlet-class /servlet servlet servlet-nameStatus/servlet-name display-nameStatus/display-name servlet-classreeper.Status/servlet-class /servlet servlet-mapping servlet-nameInfo/servlet-name url-pattern/Info/url-pattern /servlet-mapping servlet-mapping servlet-nameSelect/servlet-name url-pattern/Select/url-pattern /servlet-mapping servlet-mapping servlet-namePlayers/servlet-name url-pattern/Players/url-pattern /servlet-mapping servlet-mapping servlet-namePlayers/servlet-name url-pattern/Golfers/url-pattern /servlet-mapping servlet-mapping servlet-nameScores/servlet-name url-pattern/Scores/url-pattern /servlet-mapping servlet-mapping servlet-nameStatus/servlet-name url-patternStatus/url-pattern /servlet-mapping welcome-file-list welcome-fileindex.html/welcome-file welcome-fileindex.htm/welcome-file welcome-fileindex.jsp/welcome-file welcome-filedefault.html/welcome-file welcome-filedefault.htm/welcome-file welcome-filedefault.jsp/welcome-file /welcome-file-list /web-app Note the order is important. Doug - Original Message - From: Robert Mazur [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Saturday, March 27, 2004 5:16 PM Subject: JSP works, Servlet does not work SUMAMRY: JSP's work, but servlets give: HTTP Status 404 - /sampleapp/servlet/samplepackage.SampleServlet DETAIL: I am a long time tomcat 3.X user. I'm trying to switch to version 5.0.19. I am at the end of full day #2 trying to get a simple webapp to work with: -SUSE9, -Apache 2.0.49, -Tomcat 5.0.19 -jakarta-tomcat-connectors-jk2-2.0.4-src Here's the kicker: Tomcat's sample-servlets *do* work, and I have a servlet auto-load in my app's web.xml and that DOES work too. But direct calls to this don't work: http://localhost/sampleapp/servlet/samplepackage.SampleServlet The same exact WAR file works when placed into tomcat 3.2.23. I think I have tried everything imaginable, using online docs, O'Reilly's book and Wrox books as reference, archives to this list, including: 1) Let the Tomcat Manager add the war file for me 2) Added a Context into tomcat's server.xml for the app 3) Added a context fragment into the webapps/ directory 4) Specifically add mapping to the app's web.xml: servlet servlet-nameSampleServlet/servlet-name servlet-classsamplepackage.SampleServlet/servlet-class /servlet I have never had to specifically map each individual servlet in the app's web.xml file before while using version 3.x. And the all the various docs are not conclusive of whether this is mandatory. Is it? Anyway, all my servlets reside in the correct place in the .war and the resulting directory, for example: tomcat_home/webapps/sampleapp/WEB-INF/classes/samplepackage/SampleServlet And, the log files reveal nothing. The apache log file notes that the servlet was called. And the tomcat catalina.log shows nothing other than the auto-loaded servlet correctly launching. What's a guy gotta do to get this to work? :-) Seriously though, any pointers would be MUCH appreciated. Rob - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
