Howdy, Oh how I wish more people would read this, digest it, and go through it before posting FAQs. Great post Senor Turner (as always).
Yoav Shapira Millennium ChemInformatics >-----Original Message----- >From: John Turner [mailto:[EMAIL PROTECTED] >Sent: Tuesday, June 24, 2003 9:37 AM >To: Tomcat Users List >Subject: Re: installing a servlet > > >Sorry, it wasn't my intent to criticize anyone, I apologize if that was the >way it came across. > >JK and JK2 work. > >The difference that you have encountered moving to 4.1.24 is most likely >attributable to the Invoker servlet being disabled by default. It is >disabled by default for a reason: security. Is it possible to use the >Invoker and be relatively secure? Yes. The problem is that when the >Invoker servlet is enabled, a specially crafted URL can be used to view the >source of a JSP. Is this bad? In general, yes. Yes because most >developers are lazy, and use bad design practices such as putting >confidential information like database URLs, usernames, and passwords into >their JSP source, which, when the Invoker is enabled, can be viewed easily >by anyone who reads security alerts. If you want to take responsibility >for guaranteeing that your JSP source has nothing in it but "display this >over here and display that over there", then you can probably get away with >using the Invoker and being "relatively" "safe". > >So, given that most new developers don't take the time to learn good >architecture practices, and probably for other reasons of which I am >unaware, it was decided that the Invoker should be disabled in versions of >Tomcat later than 4.1.12. Since the Invoker is disabled, to get servlets >to work you are required to explicitly map them in web.xml to a specific >URL (this is good for a number of reasons), said URL in turn being mapped >in the properties files of the relevant connector should you choose to use >a connector (also good, because if you have Apache there's no reason to >make Tomcat handle requests that Apache can handle, otherwise why have >Apache in the first place?). > >So, to answer your question: JK or JK2? My preference is for JK, but that >is because I am a dinosaur, not because JK2 doesn't work. You should make >the call based on your own needs and preferences. > >To answer your question: how do I make servlets work? Answer: explicitly >map them in web.xml, map them to a URL (the archives are full of examples), >and then make sure that Apache forwards that URL or similar URLs to Tomcat >for processing. This forces you to make good architecture decisions...your >servlets should be organized, etc. Does this suck? If you've spent a lot >of time just writing servlets like crazy with no thought to organization, >then it probably does suck but that isn't Tomcat's fault. > >If you have a servlet that isn't working, post this information to the >list: > >- the name of the servlet, and where it lives under your Context's docBase >- the servlet and servlet-mapping elements for that servlet from your >web.xml >- any JkMount or JkUriSet (or their equivalents) that you use with a >connector to direct requests for the servlet in question to Tomcat, if you >use a connector at all >- the actual URL you are typing into the browser's address bar (or the >value of your Form's ACTION parameter if you are having problems posting >from a form to a servlet) >- the error message you get or any other debugging information that proves >to you that your servlet isn't "working" > >Then someone on the list will help you, typically with an hour or two, but >there are no guarantees. > >John > >On 24 Jun 2003 15:01:58 +0200, Tony Grant <[EMAIL PROTECTED]> wrote: > >> On Tue, 2003-06-24 at 14:42, John Turner wrote: >>> Donwgrading and using mod_webapp is the WORST thing you could do, for >>> all sorts of reasons. Security, for one. Performance, for another. >>> Future extensibility and growth, for another. >> >> My question was: downgrade to mod_jk? (I have read that mod_webapp is >> depreciated) >> >>> Mod_jk and mod_jk2 work. This is a fact. >> >> I believe you and they do even on my server! But only for JSP and I >> can't see what _I_ am doing wrong. So John please, all the fault is >> mine! I took the time to learn how to install Tomcat a few years back. I >> moved up through the versions. I documented how I got it working and >> published my HOWTO which got 3500 hits the day it appeared in Apache >> week (so I guess I gave a little bit back to the comunity...). >> >> What went wrong was moving up to Apache2 and Tomcat 4.1.24. I am at the >> bottom of the learning curve again. >> >> Should I drop mod_jk2 and try mod_jk? >> >> Cheers >> >> Tony Grant > > > >-- >Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/ > >--------------------------------------------------------------------- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
