There was a security flaw in 4.1.11 and earlier that so that /servlet/* could be used for bad things. The flaw was fixed in the invoker servlet for the "obvious" issues but it still leaves the door open for people to do other bad things if people aren't careful.
In $CATALINA_HOME/conf/web.xml - look for the invoker servlet and uncomment it to turn that functionality back on. My guess is it is now commented out by default (which is a good practice to have). Personally - I hate the concept of /servlet/* being able to invoke a class. It may make development easier - but then you run into subtle security goofs. -Tim Dennis Muhlestein wrote: > After using 4.1.10 for a bit, I see a few issues. I think, ok we can > wait for a few fixes. Things worked ok though. > > So now I download 4.1.12. Shouldn't the server.xml file from 4.1.10 be > pretty much compatible with 4.1.12? I tried that to start with but > can't get the web app to recognize servlets. > > I then tried starting from scratch with the original 4.1.12 server.xml. > Same problem. I can see all my jsps fine but any servlet request gives > error 404 not found. > > Any suggestions? I didn't change anthing but the tomcat version. > > Thanks > Dennis > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
