Bill Barker wrote: > "Mona Wong-Barnum" <[EMAIL PROTECTED]> wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > >>Sorry, I'm a moron, I commented out the wrong section in web.xml for the >>vulnerability (: >> >>All is well, 4.0.5 is now working for me. >> >>With 4.0.5, does it matter if the section in web.xml about the invoker >>is commented out or not? > > > Disabling the Invoker provides extra security against similar exploits > (although those would involve your classes, not Tomcat's [which are > checked]). Of course, if you are using URLs of the form > <http://myserver/myapp/servlet/MyServlet>, then you need the Invoker. In > this case, you need to enable the Invoker, and make certain that none of > your classes (not restricted to servlets) reveal information if invoked by > http://myserver/myapp/servlet/edu.ucsd.mypackage.myclass.
Yes, the idea is that if you have a /foo/* URL mapping handled by a servlet, and a security constraint mapped to it, then you might have used /servlet/<servlet_class>/* to get around the security constraint. Of course, that's a rare case, but that's why the invoker is now disabled by default. Also, you can enable the invoker servlet in a particular webapp without enabling it in all webapps. See the examples webapp web.xml for the mapping to use. Remy -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>