Thanks Martin, budi On Mon, 4 Nov 2002, Martin Algesten wrote: > The invoker servlet allows for anyone to call your servlets using their > class names. This is not a problem as long as you are happy with that. > In my case I have some internal servlets (used as a poor substitute for > RMI) where I map the servlets to be under /internal/some.servlet and > then protect /internal/* in my Apache web server in front of Tomcat. I > don't use the invoker servlet since I want to declare exactly how my > servlets are to be accessed. > > Martin > > Budi Kurniawan wrote: > > >Hi, > > > >I've browsed the user list for this question but could not find the > >answer. Apologies if this is not the right question for this list. > > > >The release note in 4.1.12 says that the invoker servlet is turned off in > >the default web.xml for security reasons. However, in the examples > >app's web.xml the invoker is on. > > > >My questions are: > >1. What security threat is that? > >2. If it is not safe to turn it on in the default web.xml, is it safe to > >do so in the app web.xml? > > > >thx, > >budi > > > > > >-- > >To unsubscribe, e-mail: <mailto:tomcat-dev-unsubscribe@;jakarta.apache.org> > >For additional commands, e-mail: <mailto:tomcat-dev-help@;jakarta.apache.org> > > > > > > > > > -- > To unsubscribe, e-mail: <mailto:tomcat-dev-unsubscribe@;jakarta.apache.org> > For additional commands, e-mail: <mailto:tomcat-dev-help@;jakarta.apache.org> >
-- To unsubscribe, e-mail: <mailto:tomcat-dev-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:tomcat-dev-help@;jakarta.apache.org>