There isn't one, though there are a couple in the works and due soon. My point was that the topic comes up just about every day. Even without searching the list archives, being a member on the list for a day or two and reading the traffic (always a good thing to do when joining) would see this topic come up and get answered.
If the Invoker servlet is enabled, you can use a specially-crafted URL to get the source of JSP pages. Maybe in some cases this is no big deal, but in some cases it can be a huge deal, as in a scenario where someone puts usernames, passwords, and connection URLs into their JSP source. In general, any exploit that allows the viewing of source in raw form, whether or not that source has anything valuable in it, is considered a security flaw that needs to be fixed. This is true regardless of the technology used: ASP, JSP, PHP, Cold Fusion, whatever. John > -----Original Message----- > From: Steve Guo [mailto:[EMAIL PROTECTED] > Sent: Tuesday, February 25, 2003 9:56 AM > To: Tomcat Users List > Subject: RE: running servlet on Tomcat > > > > I do not fully understand why they disable the servlet > invoker by default. In general, Tomcat is used for learning > purpose. Having to modify web.xml for each webapp seems a lot of work. > You refered to FAQ, but when I tried to get it from the list > server, I got, > FAQ - Frequently asked questions of the > [EMAIL PROTECTED] > list. None available. > > Where is the FAQ? > > Thanks, Steve > > > > "Turner, John" <[EMAIL PROTECTED]> wrote: > This is a FAQ. > > By default, the Invoker servlet is disabled for everything > but the /examples > webapp for security reasons. It really shouldn't be enabled for the > /examples webapp, either, but I'm sure that's a low priority > for the dev > team. > > If you want your servlet to be available, you need to either: > > - enable the Invoker servlet (not recommended) > > - explicitly map your servlet in web.xml using servlet and > servlet-mapping > elements: > > > MyServlet > com.myApp.MyServlet > > > > MyServlet > /MyServlet > > > Check the docs, check the release notes for more info. > > John > > > -----Original Message----- > > From: Tan van Nguyen [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, February 25, 2003 5:05 AM > > To: [EMAIL PROTECTED] > > Subject: running servlet on Tomcat > > > > > > Hi, I have a problem about running servlet in Tomcat. My > > system information: > > Apache Tomcat v4.1.18 > > Java 2 SDK 1.3.1_07 > > > > The problem is that I can't run my servlet program placed in > > ROOT/WEB-INF/classes directory with the url: > > http://localhost:8080/servlet/Myprogram > > I have done everything and read a lot of documentation, but > > still the same error appear: The 404 Error:The requested > > resource (/servlet/Myprogram) is not available. > > > > But when I place my program source and class files in the > > webapps/examples/WEB-INF/classes directory, it ran properly.. > > > > It seems like something wrong with the classloader.. > > > > I really appriciate your reply! > > > > Thanks in advance! > > - Tan Nguyen - > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > > --------------------------------- > Do you Yahoo!? > Yahoo! Tax Center - forms, calculators, tips, and more > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
