Look at all your servlets and ask what can they do if you call them directly. Can their use be twisted?
Now let your imagination flow.
Gotta agree w/ Doug. The Invoker servlet has nasty connotations. I like having it turned on, just for development, as it can sometimes be a convenience. But for any externally exposed, production system, it probably should be turned off.
Also, along those same lines... there's a train of thought that says it's bad because having URL patterns like /servlet/MyServlet tip off users as to what underlying technology your application uses. And while "security through obscurity" is somewhat frowned up, I agree that there's no point giving would be hackers any additional info for free.
So with that in mind, you might want to consider the fact that you can remap all your URL patterns as you see fit. For example, you could configure Tomcat to use a .asp extension, instead of .jsp! Yeah it's only a minor advantage, but think about it.. if Joe Script Kiddie sees .asp or .aspx extensions on your site, he's going to start running IIS exploits against your site.. none of which are going to work if you're using standalone Tomcat, or Tomcat + different HTTP server. So maybe he gets bored and moves on to somebody else's server.
Anyway, just something to think about...
TTYL,
Phil
--
When the 1st Amendment no longer protects your voice.
And when the 4th Amendment no longer protects your privacy or your stuff.
Thank God we have the 2nd Amendment to tell our elected representatives that enough is enough.
It's time to put "... from my cold, dead hands" back where it belongs.
FREE AMERICA Vote Libertarian www.lp.org
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
