On Thu, 31 Oct 2002, Paul Copeland wrote: > Starting with Tomcat 4.1.12 the old style servlet URL's > "app/servlet/class-path" are no longer available in the default > web.xml configuration. > > This can be a problem for "legacy" servlet applications, for > instance web pages with hyperlinks that use the old style URL would > suddenly stop working with 4.1.12 Tomcat. > > You can turn old-style servlet URL's back on (see Tomcat release > notes) but then your servlet container is vulnerable to a documented > security hole (which is why it is off by default now). [ ... ]
I don't believe this is quite accurate. It's true there was a vulnerability found in Tomcat versions 4.0.5 (and earlier 4.0.* versions) and Tomcat 4.1.12 (and earlier 4.1.* versions). But I believe later versions in those series have had this vulnerability fixed -- that is, you can leave the invoker servlet enabled and not be susceptible to this vulnerability. (The invoker servlet is what allows the use of the .../app/servlet/class-path URL's.) Check the docs/release notes to be sure. Milt Epstein Research Programmer Integration and Software Engineering (ISE) Campus Information Technologies and Educational Services (CITES) University of Illinois at Urbana-Champaign (UIUC) [EMAIL PROTECTED] ___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST". Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
