> -----Original Message----- > From: Shapira, Yoav [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, December 04, 2002 10:49 AM > To: Tomcat Users List > Subject: RE: hiding servlet URLs in JSPs >
> If you're running in a very security-aware environment > (you're starting > tomcat with the security manager, right? ;)), map all the servlets you > need in web.xml. Disable the invoker servlet mapping in > $CATALINA_HOME/conf/web.xml. Then all your form targets will be like > /MyFormProcessingServlet, and you can put a filter in a chain prior to > the form processor to validate form fields etc, and reject attacker > inputs. Is there a way to override the invoker servlet mapping in an individual webapp's WEB-INF/web.xml file? Even though you clearly explain in your original message that this is set in $CATALINA_HOME/conf/web.xml, I just hunted through my webapp's WEB-INF/web.xml looking for it and when I didn't find it, I discovered it's in $CATALINA_HOME/conf/web.xml, and I don't want to inconvenience other users of the system by disabling this for all webapps, if possible. In other words, can I turn this off on a per-webapp basis, or is the only solution to have all other users add this to their individual WEB-INF/web.xml files and remove it from $CATALINA_HOME/conf/web.xml ? Thanks, Erik -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
