Hans - below you say:
"/servlet" default mapping has _never_ been in the spec
But the Servlets 2.1a Spec (November 1998) has the following under
"Servlet Mapping Techniques" -
----- quote -----
You can map a servlet by using the special URL /servlet/servlet_name.
For example, if you create a servlet with the name listattributes, you
can access the servlet by using the URL /servlet/listattributes.
You can invoke a servlet by its class name.
For example, if a servlet engine receives a request from the URL
/servlet/com.foo.servlet.MailServlet, the servlet engine can load the
class com.foo.servlet.MailServlet, instantiate it, cast the instance to
a servlet, and then let the servlet handle the request.
----- end quote -----
So that much was in the spec in 2.1, but it looks like it changed in
2.2, or am I misunderstanding your comment? Also it would be
interesting if you could comment on the security hole created by the
"/servlet" mapping...
-- Paul Copeland, JOT Object Technologies - http://www.jotobjects.com
----- Original Message -----
Date: Fri, 18 Oct 2002 17:49:22 -0700
From: Hans Bergsten <[EMAIL PROTECTED]>
Subject: Re: Question on documentation...
Luis A wrote:
Hans, maybe you can help me,
Is there a way to restore the unsecure mode? The students have different
Servlet names, the broadband access ones have burned CDs for the others, and
they have a deadline. I do not think I will have the time needed to read the
documentation and instruct a simple patch or mod. What do you think?
Didn't I say "see the [Tomcat 4.1.12] release notes for details"? If
you do, you find this:
Starting with Tomcat 4.1.12, the invoker servlet is no longer
available by default in all webapp. Enabling it for all webapps is
possible by editing $CATALINA_HOME/conf/web.xml to uncomment the
"/servlet/*" servlet-mapping definition.
Hans
----- Original Message -----
From: "Hans Bergsten" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, October 18, 2002 8:33 PM
Subject: Re: Question on documentation...
Luis A wrote:
Man, you must be kidding. So the tutorial I just wrote and emailed to my
32
students will not work without the web.xml changes? Are you sure?
Yes, I'm sure. URL mapping has been in the Servlet spec since 2.0 (and
was an option in JWS before the API was formally specified, I believe),
while the "/servlet" default mapping has _never_ been in the spec (even
though most web containers have supported it for a long time). The
behavior of an "invoker" mapped to a "/servlet" URL was first identified
as a security risk back in the Servlet 2.0/2.1 days.
Hans
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST".
Some relevant FAQs on JSP/Servlets can be found at:
http://archives.java.sun.com/jsp-interest.html
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.jsp
http://www.jguru.com/faq/index.jsp
http://www.jspinsider.com
