You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Costin Manolache <cm...@yahoo.com> on 2002/11/01 20:39:12 UTC
tomcat4 user guide ( doc on webapps/ dir ) ?
Hi,
Is there any documentation on the webapps/ layout ? In 3.3 it's
in the 'user guide' (
http://jakarta.apache.org/tomcat/tomcat-3.3-doc/tomcat-ug.html),
but I can't find the equivalent doc. I'm interested in docs for
the ROOT special dir.
I know this should be directed to tomcat-user :-)
( I also know how it works - but I need the 'official' documentation )
Costin
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: tomcat4 user guide ( doc on webapps/ dir ) ?
Posted by Costin Manolache <cm...@yahoo.com>.
Thanks Craig !
Costin
Craig R. McClanahan wrote:
>
>
> On Fri, 1 Nov 2002, Costin Manolache wrote:
>
>> Date: Fri, 01 Nov 2002 11:39:12 -0800
>> From: Costin Manolache <cm...@yahoo.com>
>> Reply-To: Tomcat Developers List <to...@jakarta.apache.org>
>> To: tomcat-dev@jakarta.apache.org
>> Subject: tomcat4 user guide ( doc on webapps/ dir ) ?
>>
>> Hi,
>>
>> Is there any documentation on the webapps/ layout ? In 3.3 it's
>> in the 'user guide' (
>> http://jakarta.apache.org/tomcat/tomcat-3.3-doc/tomcat-ug.html),
>> but I can't find the equivalent doc. I'm interested in docs for
>> the ROOT special dir.
>>
>
> You have to reach for it :-), but it's there. See the "Automatic
> Application Deployment" section on:
>
> http://jakarta.apache.org/tomcat/tomcat-4.1-doc/config/host.html
>
> This is also cross referenced from the description of the "appBase"
> attribute of the <Host> element, earlier on this page -- which is the
> canonical place that you define the "webapps" directory in 4.x.
>
>>
>> I know this should be directed to tomcat-user :-)
>> ( I also know how it works - but I need the 'official' documentation )
>>
>> Costin
>>
>>
>
> Craig
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Security threat with enabling invoker servlet in 4.1.12
Posted by Budi Kurniawan <bu...@cse.unsw.EDU.AU>.
Thanks Martin,
budi
On Mon, 4 Nov 2002, Martin Algesten wrote:
> The invoker servlet allows for anyone to call your servlets using their
> class names. This is not a problem as long as you are happy with that.
> In my case I have some internal servlets (used as a poor substitute for
> RMI) where I map the servlets to be under /internal/some.servlet and
> then protect /internal/* in my Apache web server in front of Tomcat. I
> don't use the invoker servlet since I want to declare exactly how my
> servlets are to be accessed.
>
> Martin
>
> Budi Kurniawan wrote:
>
> >Hi,
> >
> >I've browsed the user list for this question but could not find the
> >answer. Apologies if this is not the right question for this list.
> >
> >The release note in 4.1.12 says that the invoker servlet is turned off in
> >the default web.xml for security reasons. However, in the examples
> >app's web.xml the invoker is on.
> >
> >My questions are:
> >1. What security threat is that?
> >2. If it is not safe to turn it on in the default web.xml, is it safe to
> >do so in the app web.xml?
> >
> >thx,
> >budi
> >
> >
> >--
> >To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> >For additional commands, e-mail: <ma...@jakarta.apache.org>
> >
> >
> >
>
>
> --
> To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Security threat with enabling invoker servlet in 4.1.12
Posted by Martin Algesten <ma...@taglab.com>.
The invoker servlet allows for anyone to call your servlets using their
class names. This is not a problem as long as you are happy with that.
In my case I have some internal servlets (used as a poor substitute for
RMI) where I map the servlets to be under /internal/some.servlet and
then protect /internal/* in my Apache web server in front of Tomcat. I
don't use the invoker servlet since I want to declare exactly how my
servlets are to be accessed.
Martin
Budi Kurniawan wrote:
>Hi,
>
>I've browsed the user list for this question but could not find the
>answer. Apologies if this is not the right question for this list.
>
>The release note in 4.1.12 says that the invoker servlet is turned off in
>the default web.xml for security reasons. However, in the examples
>app's web.xml the invoker is on.
>
>My questions are:
>1. What security threat is that?
>2. If it is not safe to turn it on in the default web.xml, is it safe to
>do so in the app web.xml?
>
>thx,
>budi
>
>
>--
>To unsubscribe, e-mail: <ma...@jakarta.apache.org>
>For additional commands, e-mail: <ma...@jakarta.apache.org>
>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Security threat with enabling invoker servlet in 4.1.12
Posted by Budi Kurniawan <bu...@cse.unsw.EDU.AU>.
Hi,
I've browsed the user list for this question but could not find the
answer. Apologies if this is not the right question for this list.
The release note in 4.1.12 says that the invoker servlet is turned off in
the default web.xml for security reasons. However, in the examples
app's web.xml the invoker is on.
My questions are:
1. What security threat is that?
2. If it is not safe to turn it on in the default web.xml, is it safe to
do so in the app web.xml?
thx,
budi
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: tomcat4 user guide ( doc on webapps/ dir ) ?
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Fri, 1 Nov 2002, Costin Manolache wrote:
> Date: Fri, 01 Nov 2002 11:39:12 -0800
> From: Costin Manolache <cm...@yahoo.com>
> Reply-To: Tomcat Developers List <to...@jakarta.apache.org>
> To: tomcat-dev@jakarta.apache.org
> Subject: tomcat4 user guide ( doc on webapps/ dir ) ?
>
> Hi,
>
> Is there any documentation on the webapps/ layout ? In 3.3 it's
> in the 'user guide' (
> http://jakarta.apache.org/tomcat/tomcat-3.3-doc/tomcat-ug.html),
> but I can't find the equivalent doc. I'm interested in docs for
> the ROOT special dir.
>
You have to reach for it :-), but it's there. See the "Automatic
Application Deployment" section on:
http://jakarta.apache.org/tomcat/tomcat-4.1-doc/config/host.html
This is also cross referenced from the description of the "appBase"
attribute of the <Host> element, earlier on this page -- which is the
canonical place that you define the "webapps" directory in 4.x.
>
> I know this should be directed to tomcat-user :-)
> ( I also know how it works - but I need the 'official' documentation )
>
> Costin
>
>
Craig
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>