Hi All, First, let me say that I'm *not* requesting creative ways to get around this behavior. I'm wondering if the Servlet Spec (sec. SRV.11.1) should be refined to address this issue. I'm using Tomcat v4.0.3 on Win 2K.
Let's say I have this servlet declaration in my deployment descriptor: <servlet> <servlet-name>HelloWorld</servlet-name> <servlet-class>com.abc.def.HelloWorld</servlet-class> </servlet> What I'm finding (and I don't like) is that I can invoke this servlet either by its "servlet name" or its fully-qualified class name: URL #1: http://myHost/servlet/HelloWorld OR URL #2: http://myHost/servlet/com/abc/def/HelloWorld Each URL creates a *separate instance* of the servlet. To my way of thinking, the <servlet-name> specified in the deployment descriptor is more or less a "logical name" for the "physical servlet". By specifying this name in the deployment descriptor, I am providing a name by which this servlet is to be known to the world. This "logical name" should hide the "physical name" of the servlet. If some rogue client (somehow) happens to know the fully-qualified class name for the servlet, and invokes it using URL #2 above, this should *not* cause an extra instance of the servlet to be created. In fact, it should not even cause the servlet to be invoked. Off the top of my head, here are four reasons why the exisiting behavior seems bad: 1. It's wasteful in that it creates an unneeded servlet instance. 2. It complicates the logic of a servlet because now it must allow for additional instances created if the servlet is invoked by its fully qualified class name. 3. A security issue arises. If a user is able to successfully invoke the servlet using the fully qualified class name, it may give the user insight into the server's directory structure. 4. It prevents a unified set of URLs from being the *only* way of invoking a servlet. My general feel is that the server administrator should have complete control over the name(s) (i.e., URLs) by which a servlet is know to the world. I'm wondering if SRV.11.1 should be updated. Here's a "plain English" proposal: "If a <servlet-mapping> element(s) exists in the deployment descriptor, the servlet is accessible *only* via the specified <url-pattern> element(s) and *not* by the <servlet-name> element(s) within the <servlet> element. If *no* <servlet-mapping> element(s) is present but a <servlet> element exists, the servlet is accessible *only* via the enclosed <servlet-name> element(s). If a <servlet> element does *not* exist, then the servlet is searched for using specified URL path." Comments?? Is this a dumb idea? ___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST". Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
