John, >From the release notes
------------------------ Enabling invoker servlet: ------------------------ Starting with Tomcat 4.1.12, the invoker servlet is no longer available by default in all webapp. Enabling it for all webapps is possible by editing $CATALINA_HOME/conf/web.xml to uncomment the "/servlet/*" servlet-mapping definition. Using the invoker servlet in a production environment is not recommended and is unsupported. You will either need to uncomment these lines in $TOMCAT_HOME/conf/web.xml <!-- The mapping for the invoker servlet --> <!-- <servlet-mapping> <servlet-name>invoker</servlet-name> <url-pattern>/servlet/*</url-pattern> </servlet-mapping> --> or add similar lines to each WebApp's web.xml that you wish to use the default servlet. Reason for change: A security vulnerability has been confirmed to exist in Apache Tomcat 4.0.x releases (including Tomcat 4.0.5), which allows to use a specially crafted URL to return the unprocessed source of a JSP page, or, under special circumstances, a static resource which would otherwise have been protected by security constraint, without the need for being properly authenticated. This is based on a variant of the exploit that was disclosed on 09/24/2002. It was never clear to me if the Tomcat code itself was modifed to limit the impact of this issue, if the invoker servlet was turned on. In either case, their disclaimer says use of the invoker servlet is not supported. Jeff -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 24, 2002 9:10 AM To: [EMAIL PROTECTED] Subject: default servlet path? Hi all, If memory serves me correctly, once upon a time I could put a servlet called SomeServlet under webapps/abc/web-inf/classes/a/b and access it with the url http://localhost:8080/abc/servlet/a.b.SomeServlet. I could do this without explicitly naming the servlet in my web.xml. This doesn't seem to work anymore. I've tried several other combinations that don't work, either. I'm using Tomcat 4.1.18. Am I doing it wrong or has something changed? thanks john gregg Wells Fargo Service Corporation Minneapolis, MN -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>