John,
>From the release notes
------------------------
Enabling invoker servlet:
------------------------
Starting with Tomcat 4.1.12, the invoker servlet is no longer available by
default in all webapp. Enabling it for all webapps is possible by editing
$CATALINA_HOME/conf/web.xml to uncomment the "/servlet/*" servlet-mapping
definition.
Using the invoker servlet in a production environment is not recommended and
is unsupported.
You will either need to uncomment these lines in $TOMCAT_HOME/conf/web.xml
<!-- The mapping for the invoker servlet -->
<!--
<servlet-mapping>
<servlet-name>invoker</servlet-name>
<url-pattern>/servlet/*</url-pattern>
</servlet-mapping>
-->
or add similar lines to each WebApp's web.xml that you wish to use the
default servlet.
Reason for change:
A security vulnerability has been confirmed to exist in Apache Tomcat 4.0.x
releases (including Tomcat 4.0.5), which allows to use a specially crafted
URL to return the unprocessed source of a JSP page, or, under special
circumstances, a static resource which would otherwise have been protected
by security constraint, without the need for being properly authenticated.
This is based on a variant of the exploit that was disclosed on 09/24/2002.
It was never clear to me if the Tomcat code itself was modifed to limit the
impact of this issue, if the invoker servlet was turned on. In either case,
their disclaimer says use of the invoker servlet is not supported.
Jeff
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
Sent: Tuesday, December 24, 2002 9:10 AM
To: [EMAIL PROTECTED]
Subject: default servlet path?
Hi all,
If memory serves me correctly, once upon a time I could put a servlet called
SomeServlet under webapps/abc/web-inf/classes/a/b and access it with the url
http://localhost:8080/abc/servlet/a.b.SomeServlet. I could do this without
explicitly naming the servlet in my web.xml. This doesn't seem to work
anymore. I've tried several other combinations that don't work, either.
I'm using Tomcat 4.1.18. Am I doing it wrong or has something changed?
thanks
john gregg
Wells Fargo Service Corporation
Minneapolis, MN
--
To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
