Hi, >anyone can see the URL to my servlet and attempt to send it data directly.
True. >At first I thought that this was a security problem and that I should >obfuscate the path to the servlet somehow, but on second thought it strikes >me that this is no different than someone seeing the path to a CGI script >in a form either. And that too is a security risk (seeing the path to a CGI script). >Any advice? If you're running in a very security-aware environment (you're starting tomcat with the security manager, right? ;)), map all the servlets you need in web.xml. Disable the invoker servlet mapping in $CATALINA_HOME/conf/web.xml. Then all your form targets will be like /MyFormProcessingServlet, and you can put a filter in a chain prior to the form processor to validate form fields etc, and reject attacker inputs. But if you're not so hung up about security, don't worry about it too much. Yoav Shapira Millennium ChemInformatics -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
