You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Paul Mendelson <pm...@trueoutcomes.net> on 2007/03/14 23:19:40 UTC
Rationale for makeing Invoker harder to user
I recently installed Tomacat 6.0 and see that I now need to make my web
application privalaged in order to use InvokerServlet to allow users to
execute arbitrary servlets. This seems to continue a trend that may
eventually result in Invoker being widthdrawn.
My question is why is allowing execution of arbitrary servlets so
discouraged. In my opinion JSPs are essentially servlets with a
differnt deployment convention and there is no prohibition on running
jsps without "registering them."
I like to build web applications with hundreds of servlets and I prefer
not to explicitly define each one in web.xml. Is there any sanctioned
method of doing this in a tomcat world?
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Rationale for makeing Invoker harder to user
Posted by Peter Kennard <pe...@livingwork.com>.
At 20:38 3/14/2007, you wrote:
>http://tomcat.apache.org/faq/misc.html#evil
>
>-Tim
All very good points escpecially since it will load classes outside
the webapps sandbox. Definately evil.
What I would probably do in the large # of servlets situation for a
single webapp during development is generate the web.xml file as part
of the build process and have the build scan the proper source
directory and create it dynamicly before deployment.
Alas hard to do in ant without scripts but would make development easier.
PK
>Paul Mendelson wrote:
>>I recently installed Tomacat 6.0 and see that I now need to make my
>>web application privalaged in order to use InvokerServlet to allow
>>users to execute arbitrary servlets. This seems to continue a
>>trend that may eventually result in Invoker being widthdrawn.
>>My question is why is allowing execution of arbitrary servlets so
>>discouraged. In my opinion JSPs are essentially servlets with a
>>differnt deployment convention and there is no prohibition on
>>running jsps without "registering them."
>>I like to build web applications with hundreds of servlets and I
>>prefer not to explicitly define each one in web.xml. Is there any
>>sanctioned method of doing this in a tomcat world?
>
>---------------------------------------------------------------------
>To start a new topic, e-mail: users@tomcat.apache.org
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Rationale for makeing Invoker harder to user
Posted by Paul Mendelson <pm...@trueoutcomes.net>.
Tim Funk wrote:
> http://tomcat.apache.org/faq/misc.html#evil
>
> -Tim
>
> Paul Mendelson wrote:
>> I recently installed Tomacat 6.0 and see that I now need to make my
>> web application privalaged in order to use InvokerServlet to allow
>> users to execute arbitrary servlets. This seems to continue a trend
>> that may eventually result in Invoker being widthdrawn.
>>
>> My question is why is allowing execution of arbitrary servlets so
>> discouraged. In my opinion JSPs are essentially servlets with a
>> differnt deployment convention and there is no prohibition on running
>> jsps without "registering them."
>>
>> I like to build web applications with hundreds of servlets and I
>> prefer not to explicitly define each one in web.xml. Is there any
>> sanctioned method of doing this in a tomcat world?
>>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
I have seen this rationale before but have not found it very satisfying:
1. No one is suggesting putting this sort of limitation on JSPs even
though they are explicitly declared.
2. If random servlets in random places is a great concern why can't we
add some qualifiers to the invoker's classpath
3. I find the security concern of mapping /xxx/* to invoker overrated.
Can't I put a security constraint on /xxx/* if I want to?
4. I realize that a servlet that is mapped can also be loaded by
invoker. I don't why a developer would conciously map invoker and also
map the servlet that they new was mapped by invoker. Unless the
developer in that case was not concerned about 2 copies of 1 servlet
running.
I don't expect tomcat to change its policy but i'm wondering what sort
of design patterns are being used by developers who don't want to deploy
JSPs or JSFs and who don't want to explicitly map each user addressable
bit of functionality in web.xml.
I'm hopping to find a replacement design pattern before tomcat retires
Invoker altogether.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Rationale for makeing Invoker harder to user
Posted by Tim Lucia <ti...@yahoo.com>.
> -----Original Message-----
> From: Tim Funk [mailto:funkman@joedog.org]
> Sent: Wednesday, March 14, 2007 8:39 PM
> To: Tomcat Users List
> Subject: Re: Rationale for makeing Invoker harder to user
>
> http://tomcat.apache.org/faq/misc.html#evil
Keep in mind this opens with "This is opinions of the writer (YMMV)" [sic]
There are of course two sides to this. My current employer has a design
where everything is invoked using the invoker servlet, and there is little
hope of changing that. In fact, they exploit this as part of the
application design.
] Configuration hiding - There is NO way to determine which
] servlets are used vs which are not used. In web.xml, every servlet
] is declared and mapped. In that one file you instantly have a road
] map to how the webapp works.
The configuration for this application is explicit -- it's in a database
full of application and navigation tables. So while the configuration isn't
explicit in web.xml, for example, the configuration is explicit in the
database. No sevlet class name in the database? Then it's not used.
] Back doors. Servlets which are mapped can be alternately called via
] the invoker by class name. Since the URL is different, all security
] constraints might be ignored since the URL pattern is VERY different.
Security is implemented explicitly in the servlet suite, so the mapping of a
url pattern to a security constraint is not necessary either. Many
applications chose to manage their own security.
Some of our customers are still using Windows 98, and IE 5 too. GASP!
Is this the ideal solution? Maybe, maybe not. It doesn't completely refute
all points made in the posted link. The application design is meant for
rapid deployment of lots of small changes as we are constantly scrambling to
make changes for compliance with state law changes, and at the moment the
invoker servlet figures heavily in that design.
] [SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability
One could argue that as Tomcat gets more and more mature and vetted, the
odds of a security problem being present go down, and hence the risk of
using the invoker servlet does as well.
I've been tempted to download 6.0 and try it out, but now knowing that the
app needs to be privileged turns me off.
Tim
> -Tim
>
> Paul Mendelson wrote:
> > I recently installed Tomacat 6.0 and see that I now need to make my web
> > application privalaged in order to use InvokerServlet to allow users to
> > execute arbitrary servlets. This seems to continue a trend that may
> > eventually result in Invoker being widthdrawn.
> >
> > My question is why is allowing execution of arbitrary servlets so
> > discouraged. In my opinion JSPs are essentially servlets with a
> > differnt deployment convention and there is no prohibition on running
> > jsps without "registering them."
> >
> > I like to build web applications with hundreds of servlets and I prefer
> > not to explicitly define each one in web.xml. Is there any sanctioned
> > method of doing this in a tomcat world?
> >
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Rationale for makeing Invoker harder to user
Posted by Tim Funk <fu...@joedog.org>.
http://tomcat.apache.org/faq/misc.html#evil
-Tim
Paul Mendelson wrote:
> I recently installed Tomacat 6.0 and see that I now need to make my web
> application privalaged in order to use InvokerServlet to allow users to
> execute arbitrary servlets. This seems to continue a trend that may
> eventually result in Invoker being widthdrawn.
>
> My question is why is allowing execution of arbitrary servlets so
> discouraged. In my opinion JSPs are essentially servlets with a
> differnt deployment convention and there is no prohibition on running
> jsps without "registering them."
>
> I like to build web applications with hundreds of servlets and I prefer
> not to explicitly define each one in web.xml. Is there any sanctioned
> method of doing this in a tomcat world?
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Rationale for makeing Invoker harder to user
Posted by Peter Kennard <pe...@livingwork.com>.
I am a newbee here but as a work around, I would think you could have
a "master" servlet and it could scan and load all the servlets in the
directory into a map, and then dispatch requests to them from "/*"
(having them properly initialized in another question)
I would be interested in the official answer :)
At 18:19 3/14/2007, you wrote:
>I recently installed Tomacat 6.0 and see that I now need to make my
>web application privalaged in order to use InvokerServlet to allow
>users to execute arbitrary servlets. This seems to continue a trend
>that may eventually result in Invoker being widthdrawn.
>
>My question is why is allowing execution of arbitrary servlets so
>discouraged. In my opinion JSPs are essentially servlets with a
>differnt deployment convention and there is no prohibition on
>running jsps without "registering them."
>
>I like to build web applications with hundreds of servlets and I
>prefer not to explicitly define each one in web.xml. Is there any
>sanctioned method of doing this in a tomcat world?
>
>---------------------------------------------------------------------
>To start a new topic, e-mail: users@tomcat.apache.org
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org