OK, thanks, I'll just try to follow the examples applications' web.xml and give it a shot.
Mark --- "Turner, John" <[EMAIL PROTECTED]> wrote: > > Depends on your definition of "grave", I guess. It > was important enough > that it was changed and included in future releases. > > Yes, if the Invoker servlet is disabled, you have to > map your servlet in > web.xml. > > For information, check $CATALINA_HOME/conf/web.xml, > or check the archives, > this is a FAQ. You'll need a <servlet> tag and a > <servlet-mapping> tag for > every servlet in your application if you choose not > to use the Invoker > servlet. > > John > > -----Original Message----- > From: Mark Liu [mailto:[EMAIL PROTECTED]] > Sent: Sunday, January 26, 2003 12:30 PM > To: Tomcat Users List > Subject: RE: A follow-up of my last post > > > What if I am the server administrator? In fact I > am. > Then I'll risk leaving a grave security hole, right? > > But anyway, I would like to learn servlet mapping. > Where do we have some documents about servlet > mapping? > > Suppose the invoker is disable, you said that have > to > map each and every servlet I have for my web > application, right? > > Mark > > --- "Turner, John" <[EMAIL PROTECTED]> wrote: > > > > Not only is it not safe, it's not portable. If > your > > webapp counts on this, > > but then is deployed to a machine you don't > control, > > there is a 99.99% > > chance that server admin has the Invoker disabled > > and won't enable it. Then > > what will you do? Mapping your servlet in web.xml > > will work all the time, > > everywhere. > > > > John > > > > -----Original Message----- > > From: Mark Liu [mailto:[EMAIL PROTECTED]] > > Sent: Saturday, January 25, 2003 11:29 PM > > To: Tomcat Users List > > Subject: RE: A follow-up of my last post > > > > > > I put the following segment of code in my x509 > > web.xml: > > > > <servlet-mapping> > > <servlet-name>invoker</servlet-name> > > <url-pattern>/servlet/*</url-pattern> > > </servlet-mapping> > > > > And then it starts to work. But you said that > this > > is > > not safe, right? > > > > > > > > --- "Turner, John" <[EMAIL PROTECTED]> wrote: > > > > > > That's why it isn't working. > > > > > > As I said, the Invoker servlet is disabled by > > > default in recent versions of > > > 4.1.x due to security reasons. It is enabled in > > the /examples > > > application. > > > > > > You can: > > > > > > 1) map your servlet(s) in your application's > > web.xml > > > file and leave the > > > Invoker servlet disabled > > > > > > OR > > > > > > 2) leave your web.xml alone and enable the > Invoker > > > servlet. > > > > > > If you choose #2, and you're going into > > production, > > > you should understand > > > the security issues before you go live. If your > > web application may > > > be deployed on a server that you don't control, > > you > > > should choose #1, since > > > that will work all the time. > > > > > > John > > > > > > -----Original Message----- > > > From: Mark Liu [mailto:[EMAIL PROTECTED]] > > > Sent: Saturday, January 25, 2003 12:44 PM > > > To: Tomcat Users List > > > Subject: RE: A follow-up of my last post > > > > > > > > > Virtually, I don't have anything for my /x509 > > > web.xml. > > > > > > Here is my /x509 web.xml: > > > > > > **** beginning of x509 web.xml ***** > > > > > > <?xml version="1.0" encoding="ISO-8859-1"?> > > > > > > <!DOCTYPE web-app > > > PUBLIC "-//Sun Microsystems, Inc.//DTD Web > > > Application 2.3//EN" > > > "http://java.sun.com/dtd/web-app_2_3.dtd";> > > > > > > <web-app> > > > <display-name>X509 Project</display-name> > > > <description> > > > X509 Public Key Certificate Authentication > > > </description> > > > </web-app> > > > > > > **** end of x509 web.xml ***** > > > > > > I remember in earlier versions of Tomcat, any > web application should > > > work just fine with a primitive web.xml like so: > > > > > > *** beginning of a primitive web.xml **** > > > > > > <?xml version="1.0" encoding="ISO-8859-1"?> > > > > > > <!DOCTYPE web-app > > > PUBLIC "-//Sun Microsystems, Inc.//DTD Web > > > Application 2.3//EN" > > > "http://java.sun.com/dtd/web-app_2_3.dtd";> > > > > > > <web-app> > > > </web-app> > > > > > > *** end of a primitive web.xml **** > > > > > > Is the servlet mapping a new Tomcat rule? Is > > there > > > any way I can have my web application work > without > > > mapping each servlet? > > > > > > Thanks. > > > > > > Mark > > > > > > --- "Turner, John" <[EMAIL PROTECTED]> wrote: > > > > > > > > Do you have a mapping for the servlet(s) in > your > > > application's web.xml > > > > file? > > > > > > > > The Invoker servlet is disabled by default in > > > recent > > > > versions of 4.1.x for > > > > security reasons, but it is enabled in the > > > /examples > > > > web.xml. > > > > > > > > John > > > > > > > > > > > > -----Original Message----- > > > > From: Mark Liu [mailto:[EMAIL PROTECTED]] > > > > Sent: Saturday, January 25, 2003 3:09 AM > > > > To: [EMAIL PROTECTED] > > > > Subject: A follow-up of my last post > > > > > > > > > > > > Also please note that I have changed Marty > > Hall's > > > > ServletUtilities.java and ShowParameters.java > > > according my system. > > > > > === message truncated === __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
