Depends on your definition of "grave", I guess. It was important enough that it was changed and included in future releases.
Yes, if the Invoker servlet is disabled, you have to map your servlet in web.xml. For information, check $CATALINA_HOME/conf/web.xml, or check the archives, this is a FAQ. You'll need a <servlet> tag and a <servlet-mapping> tag for every servlet in your application if you choose not to use the Invoker servlet. John -----Original Message----- From: Mark Liu [mailto:[EMAIL PROTECTED]] Sent: Sunday, January 26, 2003 12:30 PM To: Tomcat Users List Subject: RE: A follow-up of my last post What if I am the server administrator? In fact I am. Then I'll risk leaving a grave security hole, right? But anyway, I would like to learn servlet mapping. Where do we have some documents about servlet mapping? Suppose the invoker is disable, you said that have to map each and every servlet I have for my web application, right? Mark --- "Turner, John" <[EMAIL PROTECTED]> wrote: > > Not only is it not safe, it's not portable. If your > webapp counts on this, > but then is deployed to a machine you don't control, > there is a 99.99% > chance that server admin has the Invoker disabled > and won't enable it. Then > what will you do? Mapping your servlet in web.xml > will work all the time, > everywhere. > > John > > -----Original Message----- > From: Mark Liu [mailto:[EMAIL PROTECTED]] > Sent: Saturday, January 25, 2003 11:29 PM > To: Tomcat Users List > Subject: RE: A follow-up of my last post > > > I put the following segment of code in my x509 > web.xml: > > <servlet-mapping> > <servlet-name>invoker</servlet-name> > <url-pattern>/servlet/*</url-pattern> > </servlet-mapping> > > And then it starts to work. But you said that this > is > not safe, right? > > > > --- "Turner, John" <[EMAIL PROTECTED]> wrote: > > > > That's why it isn't working. > > > > As I said, the Invoker servlet is disabled by > > default in recent versions of > > 4.1.x due to security reasons. It is enabled in > the /examples > > application. > > > > You can: > > > > 1) map your servlet(s) in your application's > web.xml > > file and leave the > > Invoker servlet disabled > > > > OR > > > > 2) leave your web.xml alone and enable the Invoker > > servlet. > > > > If you choose #2, and you're going into > production, > > you should understand > > the security issues before you go live. If your > web application may > > be deployed on a server that you don't control, > you > > should choose #1, since > > that will work all the time. > > > > John > > > > -----Original Message----- > > From: Mark Liu [mailto:[EMAIL PROTECTED]] > > Sent: Saturday, January 25, 2003 12:44 PM > > To: Tomcat Users List > > Subject: RE: A follow-up of my last post > > > > > > Virtually, I don't have anything for my /x509 > > web.xml. > > > > Here is my /x509 web.xml: > > > > **** beginning of x509 web.xml ***** > > > > <?xml version="1.0" encoding="ISO-8859-1"?> > > > > <!DOCTYPE web-app > > PUBLIC "-//Sun Microsystems, Inc.//DTD Web > > Application 2.3//EN" > > "http://java.sun.com/dtd/web-app_2_3.dtd";> > > > > <web-app> > > <display-name>X509 Project</display-name> > > <description> > > X509 Public Key Certificate Authentication > > </description> > > </web-app> > > > > **** end of x509 web.xml ***** > > > > I remember in earlier versions of Tomcat, any web application should > > work just fine with a primitive web.xml like so: > > > > *** beginning of a primitive web.xml **** > > > > <?xml version="1.0" encoding="ISO-8859-1"?> > > > > <!DOCTYPE web-app > > PUBLIC "-//Sun Microsystems, Inc.//DTD Web > > Application 2.3//EN" > > "http://java.sun.com/dtd/web-app_2_3.dtd";> > > > > <web-app> > > </web-app> > > > > *** end of a primitive web.xml **** > > > > Is the servlet mapping a new Tomcat rule? Is > there > > any way I can have my web application work without > > mapping each servlet? > > > > Thanks. > > > > Mark > > > > --- "Turner, John" <[EMAIL PROTECTED]> wrote: > > > > > > Do you have a mapping for the servlet(s) in your > > application's web.xml > > > file? > > > > > > The Invoker servlet is disabled by default in > > recent > > > versions of 4.1.x for > > > security reasons, but it is enabled in the > > /examples > > > web.xml. > > > > > > John > > > > > > > > > -----Original Message----- > > > From: Mark Liu [mailto:[EMAIL PROTECTED]] > > > Sent: Saturday, January 25, 2003 3:09 AM > > > To: [EMAIL PROTECTED] > > > Subject: A follow-up of my last post > > > > > > > > > Also please note that I have changed Marty > Hall's > > > ServletUtilities.java and ShowParameters.java > > according my system. > > > > > > For example, I commented out the package line. > > > > > > Any way, as I said in the last post, the servlet > > > works > > > great if I put it under Tomcat's examples > > > application. > > > > > > It just does not work under my newly-created > x509 > > application. > > > > > > I don't understand this. > > > > > > Please kindly help. > > > > > > Thanks. > > > > > > Mark. > > > > > > > __________________________________________________ > > > Do you Yahoo!? > > > Yahoo! Mail Plus - Powerful. Affordable. Sign up > > > now. > > > http://mailplus.yahoo.com > > > > > > -- > > > To unsubscribe, e-mail: > > > > > > <mailto:[EMAIL PROTECTED]> > > > For additional commands, e-mail: > > > <mailto:[EMAIL PROTECTED]> > > > > > > --- > > > > > > Checked by AVG anti-virus system (http://www.grisoft.com). > > > Version: 6.0.443 / Virus Database: 248 - Release > > > Date: 1/10/2003 > > > > > > > > > --- > > > > > > Checked by AVG anti-virus system (http://www.grisoft.com). > > > Version: 6.0.443 / Virus Database: 248 - Release > > > Date: 1/10/2003 > === message truncated === __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> --- Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.443 / Virus Database: 248 - Release Date: 1/10/2003 --- Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.443 / Virus Database: 248 - Release Date: 1/10/2003 -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
