Milt - Right, it is hard to be "accurate" about the future :-) You are
right, it looks like the traditional InvokerServlet mapping is turned
back on in 4.0.6.
But at least for the latest stable version of Tomcat (4.1.12)
traditional servlet URLs (.../app/servlet/class-path) don't work by
default for security reasons (according to the release notes). If there
are clients of your servlets using that kind of URL they will suddenly
stop working when you migrate to 4.1.12.
It is possible that you do not own all the pages with links to your
servlets, or even if you do, it might be impractical to change all the
hyperlinks. You can edit web.xml to turn back on the mapping globally,
or selectively map the URL's for legacy clients, similar to the
following example:
<servlet>
<servlet-name>HelloJot</servlet-name>
<servlet-class>com.jotobjects.demo.servlet.HelloJot</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>HelloJot</servlet-name>
<url-pattern>/servlet/com.jotobjects.demo.servlet.HelloJot</url-pattern>
</servlet-mapping>
This enables URL's like this -
http://[host]/[app]/servlet/com.jotobjects.demo.servlet.HelloJot
-- Paul Copeland, JOT Object Technologies - http://www.jotobjects.com
------------------------------
Date: Thu, 31 Oct 2002 17:06:36 -0600
From: Milt Epstein <[EMAIL PROTECTED]>
Subject: Re: Tomcat 4.1.12 "/servlet" URL's
On Thu, 31 Oct 2002, Paul Copeland wrote:
Starting with Tomcat 4.1.12 the old style servlet URL's
"app/servlet/class-path" are no longer available in the default
web.xml configuration.
This can be a problem for "legacy" servlet applications, for
instance web pages with hyperlinks that use the old style URL would
suddenly stop working with 4.1.12 Tomcat.
You can turn old-style servlet URL's back on (see Tomcat release
notes) but then your servlet container is vulnerable to a documented
security hole (which is why it is off by default now).
[ ... ]
I don't believe this is quite accurate. It's true there was a
vulnerability found in Tomcat versions 4.0.5 (and earlier 4.0.*
versions) and Tomcat 4.1.12 (and earlier 4.1.* versions). But I
believe later versions in those series have had this vulnerability
fixed -- that is, you can leave the invoker servlet enabled and not be
susceptible to this vulnerability. (The invoker servlet is what
allows the use of the .../app/servlet/class-path URL's.) Check the
docs/release notes to be sure.
Milt Epstein
Research Programmer
Integration and Software Engineering (ISE)
Campus Information Technologies and Educational Services (CITES)
University of Illinois at Urbana-Champaign (UIUC)
[EMAIL PROTECTED]
------------------------------
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
