The invoker servlet is disabled in web.xml of latest apache tomcat 6.0 versions. It is not advisable to use this for the following reasons:
1. Security risk.
2. Configuration hiding - There is NO way to determine which servlets are used vs which are not used. In web.xml, every servlet is declared and mapped. In that one file you instantly have a road map to how the webapp works.
3. Back doors. Servlets which are mapped can be alternately called via the invoker by class name. Since the URL is different, all security constraints might be ignored since the URL pattern is VERY different.
4. Back doors. Bad programmers make it easier to do bad things.
5. Back doors. It may be common to use common 3rd party jars in a shared area. If that shared jar has servlets in them and that servlet has a hole in it, bad things happen.
Configuration hiding - it's important enough to say twice. Explicit declaration while a PITA, will be more helpful in the maintenance scheme of your webapp.
To enable it for quick testing:
Step-1: In home dir / conf / web.xml file, uncomment servlet definition.
Step-2: In home dir / conf / web.xml file, uncomment servlet mapping.
Step-3: In home dir / conf / context.xml, change parent element Context to
Context privileged="true" reloadable="true"
Reference:
Tomcat invoker servlet evil faqs
Binary Search Tree
8 years ago
3 comments:
Apache Tomcat is the official Reference Implementation (RI) for Java Servlets and JavaServer Pages (JSP). Tomcat is an open-source project, under the "Apache Software Foundation" (which also provides the famous open-source industrial-strength Apache HTTP Server). The mother site for Tomcat is tomcat.apache.org. Alternatively, you can go to the Apache mother site at www.apache.org and look under the project "Tomcat".
Your blog keeps getting better and better! Your older articles are not as good as newer ones you have a lot more creativity and originality now keep it up!
Just wanted to say hello someplace. Found [url=http://www.google.com/ncr]you guys through google[/url]. Hope to contribute more soon!
-OrdereZemi
Post a Comment