On Sun, 3 Nov 2002, Paul Copeland wrote: > Milt - Right, it is hard to be "accurate" about the future :-) You > are right, it looks like the traditional InvokerServlet mapping is > turned back on in 4.0.6. > > But at least for the latest stable version of Tomcat (4.1.12) > traditional servlet URLs (.../app/servlet/class-path) don't work by > default for security reasons (according to the release notes). If > there are clients of your servlets using that kind of URL they will > suddenly stop working when you migrate to 4.1.12.
Oh, I hadn't noticed that 4.1.14 was listed as the latest stable release in the 4.1.* path. Although the way they label these things, I'm not sure that's such a big deal (once you're past the first stable release in a path, and if there are no major known problems with a release -- both of which are true for 4.1.14, I believe). > It is possible that you do not own all the pages with links to your > servlets, or even if you do, it might be impractical to change all > the hyperlinks. You can edit web.xml to turn back on the mapping > globally, or selectively map the URL's for legacy clients, similar > to the following example: Yes, this will work. And your caveats are valid. But since these "/servlet/*" URL's are not spec-compliant, and hence not guaranteed to be portable across servlet containers, it might be good to revisit whether they should exist/work in the first place. > <servlet> > <servlet-name>HelloJot</servlet-name> > <servlet-class>com.jotobjects.demo.servlet.HelloJot</servlet-class> > </servlet> > > <servlet-mapping> > <servlet-name>HelloJot</servlet-name> > <url-pattern>/servlet/com.jotobjects.demo.servlet.HelloJot</url-pattern> > </servlet-mapping> > > This enables URL's like this - > > http://[host]/[app]/servlet/com.jotobjects.demo.servlet.HelloJot > > -- Paul Copeland, JOT Object Technologies - http://www.jotobjects.com > > > > > ------------------------------ > > > > Date: Thu, 31 Oct 2002 17:06:36 -0600 > > From: Milt Epstein <[EMAIL PROTECTED]> > > Subject: Re: Tomcat 4.1.12 "/servlet" URL's > > > > On Thu, 31 Oct 2002, Paul Copeland wrote: > > > > > >>Starting with Tomcat 4.1.12 the old style servlet URL's > >>"app/servlet/class-path" are no longer available in the default > >>web.xml configuration. > >> > >>This can be a problem for "legacy" servlet applications, for > >>instance web pages with hyperlinks that use the old style URL would > >>suddenly stop working with 4.1.12 Tomcat. > >> > >>You can turn old-style servlet URL's back on (see Tomcat release > >>notes) but then your servlet container is vulnerable to a documented > >>security hole (which is why it is off by default now). > > > > [ ... ] > > > > I don't believe this is quite accurate. It's true there was a > > vulnerability found in Tomcat versions 4.0.5 (and earlier 4.0.* > > versions) and Tomcat 4.1.12 (and earlier 4.1.* versions). But I > > believe later versions in those series have had this vulnerability > > fixed -- that is, you can leave the invoker servlet enabled and not be > > susceptible to this vulnerability. (The invoker servlet is what > > allows the use of the .../app/servlet/class-path URL's.) Check the > > docs/release notes to be sure. > > > > Milt Epstein > > Research Programmer > > Integration and Software Engineering (ISE) > > Campus Information Technologies and Educational Services (CITES) > > University of Illinois at Urbana-Champaign (UIUC) > > [EMAIL PROTECTED] > > > > ------------------------------ > > ___________________________________________________________________________ > To unsubscribe, send email to [EMAIL PROTECTED] and include in the body > of the message "signoff SERVLET-INTEREST". > > Archives: http://archives.java.sun.com/archives/servlet-interest.html > Resources: http://java.sun.com/products/servlet/external-resources.html > LISTSERV Help: http://www.lsoft.com/manuals/user/user.html > Milt Epstein Research Programmer Integration and Software Engineering (ISE) Campus Information Technologies and Educational Services (CITES) University of Illinois at Urbana-Champaign (UIUC) [EMAIL PROTECTED] ___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST". Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
