Re: Security threat with enabling invoker servlet in 4.1.12
The invoker servlet allows for anyone to call your servlets using their class names. This is not a problem as long as you are happy with that. In my case I have some internal servlets (used as a poor substitute for RMI) where I map the servlets to be under /internal/some.servlet and then protect /internal/* in my Apache web server in front of Tomcat. I don't use the invoker servlet since I want to declare exactly how my servlets are to be accessed. Martin Budi Kurniawan wrote: Hi, I've browsed the user list for this question but could not find the answer. Apologies if this is not the right question for this list. The release note in 4.1.12 says that the invoker servlet is turned off in the default web.xml for security reasons. However, in the examples app's web.xml the invoker is on. My questions are: 1. What security threat is that? 2. If it is not safe to turn it on in the default web.xml, is it safe to do so in the app web.xml? thx, budi -- To unsubscribe, e-mail: mailto:tomcat-dev-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-dev-help;jakarta.apache.org -- To unsubscribe, e-mail: mailto:tomcat-dev-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-dev-help;jakarta.apache.org
Re: Security threat with enabling invoker servlet in 4.1.12
Thanks Martin, budi On Mon, 4 Nov 2002, Martin Algesten wrote: The invoker servlet allows for anyone to call your servlets using their class names. This is not a problem as long as you are happy with that. In my case I have some internal servlets (used as a poor substitute for RMI) where I map the servlets to be under /internal/some.servlet and then protect /internal/* in my Apache web server in front of Tomcat. I don't use the invoker servlet since I want to declare exactly how my servlets are to be accessed. Martin Budi Kurniawan wrote: Hi, I've browsed the user list for this question but could not find the answer. Apologies if this is not the right question for this list. The release note in 4.1.12 says that the invoker servlet is turned off in the default web.xml for security reasons. However, in the examples app's web.xml the invoker is on. My questions are: 1. What security threat is that? 2. If it is not safe to turn it on in the default web.xml, is it safe to do so in the app web.xml? thx, budi -- To unsubscribe, e-mail: mailto:tomcat-dev-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-dev-help;jakarta.apache.org -- To unsubscribe, e-mail: mailto:tomcat-dev-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-dev-help;jakarta.apache.org -- To unsubscribe, e-mail: mailto:tomcat-dev-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-dev-help;jakarta.apache.org
RE: Security threat with enabling invoker servlet in 4.1.12
-Original Message- From: Budi Kurniawan [mailto:budik;cse.unsw.EDU.AU] Sent: Friday, November 01, 2002 7:22 PM To: Tomcat Developers List Subject: Security threat with enabling invoker servlet in 4.1.12 Hi, I've browsed the user list for this question but could not find the answer. Apologies if this is not the right question for this list. The release note in 4.1.12 says that the invoker servlet is turned off in the default web.xml for security reasons. However, in the examples app's web.xml the invoker is on. My questions are: 1. What security threat is that? 2. If it is not safe to turn it on in the default web.xml, is it safe to do so in the app web.xml? thx, budi This probably is more appropriate for the user list, but to answer your question, please see http://www.mail-archive.com/tomcat-dev;jakarta.apache.org/msg33723.html and http://www.mail-archive.com/tomcat-dev;jakarta.apache.org/msg34918.html -- Tim Moore / Blackboard Inc. / Software Engineer 1899 L Street, NW / 5th Floor / Washington, DC 20036 Phone 202-463-4860 ext. 258 / Fax 202-463-4863 -- To unsubscribe, e-mail: mailto:tomcat-dev-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-dev-help;jakarta.apache.org
Security threat with enabling invoker servlet in 4.1.12
Hi, I've browsed the user list for this question but could not find the answer. Apologies if this is not the right question for this list. The release note in 4.1.12 says that the invoker servlet is turned off in the default web.xml for security reasons. However, in the examples app's web.xml the invoker is on. My questions are: 1. What security threat is that? 2. If it is not safe to turn it on in the default web.xml, is it safe to do so in the app web.xml? thx, budi -- To unsubscribe, e-mail: mailto:tomcat-dev-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-dev-help;jakarta.apache.org