Wednesday, November 11, 2009

Enabling invoker servlet in apache tomcat 6.0.x

The invoker servlet is disabled in web.xml of latest apache tomcat 6.0 versions. It is not advisable to use this for the following reasons:

1. Security risk.

2. Configuration hiding - There is NO way to determine which servlets are used vs which are not used. In web.xml, every servlet is declared and mapped. In that one file you instantly have a road map to how the webapp works.

3. Back doors. Servlets which are mapped can be alternately called via the invoker by class name. Since the URL is different, all security constraints might be ignored since the URL pattern is VERY different.

4. Back doors. Bad programmers make it easier to do bad things.

5. Back doors. It may be common to use common 3rd party jars in a shared area. If that shared jar has servlets in them and that servlet has a hole in it, bad things happen.
Configuration hiding - it's important enough to say twice. Explicit declaration while a PITA, will be more helpful in the maintenance scheme of your webapp.


To enable it for quick testing:

Step-1: In home dir / conf / web.xml file, uncomment servlet definition.

Step-2: In home dir / conf / web.xml file, uncomment servlet mapping.

Step-3: In home dir / conf / context.xml, change parent element Context to
Context privileged="true" reloadable="true"

Reference:
Tomcat invoker servlet evil faqs