On Thu, 14 Mar 2002, Tony LaPaso wrote: > Hi All, > > First, let me say that I'm *not* requesting creative ways to get > around this behavior. I'm wondering if the Servlet Spec > (sec. SRV.11.1) should be refined to address this issue. I'm using > Tomcat v4.0.3 on Win 2K. > > Let's say I have this servlet declaration in my deployment descriptor: > > <servlet> > <servlet-name>HelloWorld</servlet-name> > <servlet-class>com.abc.def.HelloWorld</servlet-class> > </servlet> > > What I'm finding (and I don't like) is that I can invoke this > servlet either by its "servlet name" or its fully-qualified class > name: > > URL #1: http://myHost/servlet/HelloWorld > > OR > > URL #2: http://myHost/servlet/com/abc/def/HelloWorld
I'm wondering if a third URL format will work as well: URL #3: http://myHost/servlet/com.abc.def.HelloWorld This is really the fully-qualified class name, your URL #2 is simply the full path to the class file. [ ... ] > My general feel is that the server administrator should have > complete control over the name(s) (i.e., URLs) by which a servlet is > know to the world. I'm wondering if SRV.11.1 should be > updated. Here's a "plain English" proposal: > > "If a <servlet-mapping> element(s) exists in the > deployment descriptor, the servlet is accessible > *only* via the specified <url-pattern> element(s) > and *not* by the <servlet-name> element(s) within > the <servlet> element. > > If *no* <servlet-mapping> element(s) is present but a > <servlet> element exists, the servlet is accessible > *only* via the enclosed <servlet-name> element(s). If a > <servlet> element does *not* exist, then the servlet is > searched for using specified URL path." > > Comments?? Is this a dumb idea? Well, I suspect others will have some comments on the pros/cons/appropriateness of including something like this in the spec. One thing I will say is perhaps it's going too far to totally disallow such alternatives; something less severe would be to specify that there be an easy way to disable them. And perhaps only the full class name (URL #3 above) and full path to the class (URL #2 above) alternatives should be restricted. Also, I suspect that with most web servers/servlet containers there's an easy way to disable such URLs -- I can certainly imagine how to do it with Apache directives when using Apache/Tomcat. And, for the full class name/full path alternatives, you could simple specify servlet-mapping's in the web.xml that have them invoke the servlet by servlet-name. That would eliminate any issues with extra instances being created and/or init-param's not working. Milt Epstein Research Programmer Software/Systems Development Group Computing and Communications Services Office (CCSO) University of Illinois at Urbana-Champaign (UIUC) [EMAIL PROTECTED] ___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST". Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
