Also, if you need ".../servlet/<class>" to invoke a particular servlet, you can include a servlet mapping with "/servlet/<class>" as the <url-pattern> to emulate "invoker" for that servlet. This would avoid enabling "invoker" and exposing all servlets.
Cheers, Larry > -----Original Message----- > From: Bill Barker [mailto:[EMAIL PROTECTED]] > Sent: Thursday, September 26, 2002 3:55 AM > To: [EMAIL PROTECTED] > Subject: Re: tomcat 4.0.5 not serving HTML pages > > > > "Mona Wong-Barnum" <[EMAIL PROTECTED]> wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > > Sorry, I'm a moron, I commented out the wrong section in > web.xml for the > > vulnerability (: > > > > All is well, 4.0.5 is now working for me. > > > > With 4.0.5, does it matter if the section in web.xml about > the invoker > > is commented out or not? > > Disabling the Invoker provides extra security against similar exploits > (although those would involve your classes, not Tomcat's [which are > checked]). Of course, if you are using URLs of the form > <http://myserver/myapp/servlet/MyServlet>, then you need the > Invoker. In > this case, you need to enable the Invoker, and make certain > that none of > your classes (not restricted to servlets) reveal information > if invoked by > http://myserver/myapp/servlet/edu.ucsd.mypackage.myclass. > > > > > Cheers, > > > > Mona > > > > ================================================================== > > Mona Wong-Barnum > > National Center for Microscopy and Imaging Research > > University of California, San Diego > > http://ncmir.ucsd.edu/ > > > > "The truth shall set you free, but first it will piss you off" > > A Landmark instructor > > ================================================================== > > > > > > -- > To unsubscribe, e-mail: > <mailto:tomcat-user-> [EMAIL PROTECTED]> > For > additional commands, > e-mail: <mailto:[EMAIL PROTECTED]> > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>