I don't know if it would work or not, but you might be able to "overwrite" the invoker servlet by mapping your own servlet there. One the would basically do nothing, except maybe return an error page or exception. Or you could probably disable the invoker in CATALINA_HOME/conf/web.xml and renable it in people's CATALINA_HOME/webapp/context/WEB-INF/web.xml. But I've never tried any of these.
Mike ----- Original Message ----- From: "Price, Erik" <[EMAIL PROTECTED]> To: "Tomcat Users List" <[EMAIL PROTECTED]> Sent: Wednesday, December 04, 2002 11:57 AM Subject: RE: hiding servlet URLs in JSPs > -----Original Message----- > From: Shapira, Yoav [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, December 04, 2002 10:49 AM > To: Tomcat Users List > Subject: RE: hiding servlet URLs in JSPs > > If you're running in a very security-aware environment > (you're starting > tomcat with the security manager, right? ;)), map all the servlets you > need in web.xml. Disable the invoker servlet mapping in > $CATALINA_HOME/conf/web.xml. Then all your form targets will be like > /MyFormProcessingServlet, and you can put a filter in a chain prior to > the form processor to validate form fields etc, and reject attacker > inputs. Is there a way to override the invoker servlet mapping in an individual webapp's WEB-INF/web.xml file? Even though you clearly explain in your original message that this is set in $CATALINA_HOME/conf/web.xml, I just hunted through my webapp's WEB-INF/web.xml looking for it and when I didn't find it, I discovered it's in $CATALINA_HOME/conf/web.xml, and I don't want to inconvenience other users of the system by disabling this for all webapps, if possible. In other words, can I turn this off on a per-webapp basis, or is the only solution to have all other users add this to their individual WEB-INF/web.xml files and remove it from $CATALINA_HOME/conf/web.xml ? Thanks, Erik -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
