> -----Original Message----- > From: Tim Funk [mailto:[EMAIL PROTECTED] > Sent: Wednesday, March 14, 2007 8:39 PM > To: Tomcat Users List > Subject: Re: Rationale for makeing Invoker harder to user > > http://tomcat.apache.org/faq/misc.html#evil
Keep in mind this opens with "This is opinions of the writer (YMMV)" [sic] There are of course two sides to this. My current employer has a design where everything is invoked using the invoker servlet, and there is little hope of changing that. In fact, they exploit this as part of the application design. ] Configuration hiding - There is NO way to determine which ] servlets are used vs which are not used. In web.xml, every servlet ] is declared and mapped. In that one file you instantly have a road ] map to how the webapp works. The configuration for this application is explicit -- it's in a database full of application and navigation tables. So while the configuration isn't explicit in web.xml, for example, the configuration is explicit in the database. No sevlet class name in the database? Then it's not used. ] Back doors. Servlets which are mapped can be alternately called via ] the invoker by class name. Since the URL is different, all security ] constraints might be ignored since the URL pattern is VERY different. Security is implemented explicitly in the servlet suite, so the mapping of a url pattern to a security constraint is not necessary either. Many applications chose to manage their own security. Some of our customers are still using Windows 98, and IE 5 too. GASP! Is this the ideal solution? Maybe, maybe not. It doesn't completely refute all points made in the posted link. The application design is meant for rapid deployment of lots of small changes as we are constantly scrambling to make changes for compliance with state law changes, and at the moment the invoker servlet figures heavily in that design. ] [SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability One could argue that as Tomcat gets more and more mature and vetted, the odds of a security problem being present go down, and hence the risk of using the invoker servlet does as well. I've been tempted to download 6.0 and try it out, but now knowing that the app needs to be privileged turns me off. Tim > -Tim > > Paul Mendelson wrote: > > I recently installed Tomacat 6.0 and see that I now need to make my web > > application privalaged in order to use InvokerServlet to allow users to > > execute arbitrary servlets. This seems to continue a trend that may > > eventually result in Invoker being widthdrawn. > > > > My question is why is allowing execution of arbitrary servlets so > > discouraged. In my opinion JSPs are essentially servlets with a > > differnt deployment convention and there is no prohibition on running > > jsps without "registering them." > > > > I like to build web applications with hundreds of servlets and I prefer > > not to explicitly define each one in web.xml. Is there any sanctioned > > method of doing this in a tomcat world? > > > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
