You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Randy Paries <ra...@unitnet.com> on 2002/12/19 17:19:55 UTC

RE: Should not be this hard(why is this a security risk)

That is what I needed ...

Thanks all

To follow this up, why is this a security risk?

Do they want specific mapping for each servlet?

Thanks

-----Original Message-----
From: PELOQUIN,JEFFREY (HP-Boise,ex1) [mailto:jeffrey.peloquin@hp.com] 
Sent: Thursday, December 19, 2002 9:54 AM
To: 'Tomcat Users List'
Subject: RE: Should not be this hard


>>From the release notes

------------------------
Enabling invoker servlet:
------------------------

Starting with Tomcat 4.1.12, the invoker servlet is no longer available
by 
default in all webapp. Enabling it for all webapps is possible by
editing $CATALINA_HOME/conf/web.xml to uncomment the "/servlet/*"
servlet-mapping definition.

Using the invoker servlet in a production environment is not recommended
and is unsupported.

-----Original Message-----
From: Randy Paries [mailto:randy.paries@unitnet.com]
Sent: Thursday, December 19, 2002 8:51 AM
To: 'Tomcat Users List'
Subject: Should not be this hard


Hello, me again

This should have been so easy (famous last words)

I am upgrading from tomcat jakarta-tomcat-4.0.4 to jakarta-tomcat-4.1.17
4.0.4 was working fine.....

For some reason I can not find my servlets ARG!

In my web.xml I have a <load-on-startup/> and in the log file , the
servlet Starts ok.... But if I goto
http://bart.mydomain.com:8080/servlet/uServlet
I get a 404.......

Here is some details. I have to be missing something very simple.

My static html and jsps work ok when I goto
http://bart.mydomain.com:8080/index.html
http://bart.mydomain.com:8080/jsp/dirgloblogin.jsp

But if I goto http://bart.mydomain.com:8080/servlet/uServlet
I get a 404

from the log file I get :

2002-12-19 09:42:13 StandardContext[]: Mapping contextPath='' with
requestURI='/servlet/uServlet' and relativeURI='/servlet/uServlet

2002-12-19 09:42:13 StandardContext[]:   Trying exact match
2002-12-19 09:42:13 StandardContext[]:   Trying prefix match
2002-12-19 09:42:13 StandardContext[]:   Trying extension match
2002-12-19 09:42:13 StandardContext[]:   Trying default match
2002-12-19 09:42:13 StandardContext[]:  Mapped to servlet 'default' with
servlet path '/servlet/uServlet' and path info 'null' and update=true
2002-12-19 09:42:13 default: DefaultServlet.serveResource:  Serving
resource '/servlet/uServlet' headers and data


In my server.xml I have

<Engine name="Standalone" defaultHost="localhost" debug="9">

<Host name="localhost" debug="0" appBase="/home/unit" unpackWARs="true"
autoDeploy="true">
       
 <Context path=""
                 docBase="/home/unit"
                 crossContext="true"
                 debug="9"
                 reloadable="false" >
 </Context>
 

#ls -ls /home/unit/WEB-INF/classes
total 104
  32 -rwxrwxrwx    1 apache   apache      32734 Dec 18 21:31
bbsServlet.class
   4 drwxrwxrwx    3 apache   apache       4096 Aug 24 22:19 com
  36 -rw-rw-r--    1 apache   apache      33984 Nov  6 15:43
EditjsServlet.class
  32 -rwxrwxrwx    1 apache   apache      31030 Dec 18 21:31
uServlet.class

Thanks for any Help!!!




--
To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
For additional commands, e-mail:
<ma...@jakarta.apache.org>

--
To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
For additional commands, e-mail:
<ma...@jakarta.apache.org>



--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Should not be this hard(why is this a security risk)

Posted by Dodd Gatsos <dg...@slb.com>.

Just a guess.......

Because someone could theoretically drop a servlet into your file system
programmed to issue commands passed in as a parameter and execute them as
root?


----- Original Message -----
From: "Randy Paries" <ra...@unitnet.com>
To: "'Tomcat Users List'" <to...@jakarta.apache.org>
Sent: Thursday, December 19, 2002 10:19 AM
Subject: RE: Should not be this hard(why is this a security risk)


> That is what I needed ...
>
> Thanks all
>
> To follow this up, why is this a security risk?
>
> Do they want specific mapping for each servlet?
>
> Thanks
>
> -----Original Message-----
> From: PELOQUIN,JEFFREY (HP-Boise,ex1) [mailto:jeffrey.peloquin@hp.com]
> Sent: Thursday, December 19, 2002 9:54 AM
> To: 'Tomcat Users List'
> Subject: RE: Should not be this hard
>
>
> >From the release notes
>
> ------------------------
> Enabling invoker servlet:
> ------------------------
>
> Starting with Tomcat 4.1.12, the invoker servlet is no longer available
> by
> default in all webapp. Enabling it for all webapps is possible by
> editing $CATALINA_HOME/conf/web.xml to uncomment the "/servlet/*"
> servlet-mapping definition.
>
> Using the invoker servlet in a production environment is not recommended
> and is unsupported.
>
> -----Original Message-----
> From: Randy Paries [mailto:randy.paries@unitnet.com]
> Sent: Thursday, December 19, 2002 8:51 AM
> To: 'Tomcat Users List'
> Subject: Should not be this hard
>
>
> Hello, me again
>
> This should have been so easy (famous last words)
>
> I am upgrading from tomcat jakarta-tomcat-4.0.4 to jakarta-tomcat-4.1.17
> 4.0.4 was working fine.....
>
> For some reason I can not find my servlets ARG!
>
> In my web.xml I have a <load-on-startup/> and in the log file , the
> servlet Starts ok.... But if I goto
> http://bart.mydomain.com:8080/servlet/uServlet
> I get a 404.......
>
> Here is some details. I have to be missing something very simple.
>
> My static html and jsps work ok when I goto
> http://bart.mydomain.com:8080/index.html
> http://bart.mydomain.com:8080/jsp/dirgloblogin.jsp
>
> But if I goto http://bart.mydomain.com:8080/servlet/uServlet
> I get a 404
>
> from the log file I get :
>
> 2002-12-19 09:42:13 StandardContext[]: Mapping contextPath='' with
> requestURI='/servlet/uServlet' and relativeURI='/servlet/uServlet
>
> 2002-12-19 09:42:13 StandardContext[]:   Trying exact match
> 2002-12-19 09:42:13 StandardContext[]:   Trying prefix match
> 2002-12-19 09:42:13 StandardContext[]:   Trying extension match
> 2002-12-19 09:42:13 StandardContext[]:   Trying default match
> 2002-12-19 09:42:13 StandardContext[]:  Mapped to servlet 'default' with
> servlet path '/servlet/uServlet' and path info 'null' and update=true
> 2002-12-19 09:42:13 default: DefaultServlet.serveResource:  Serving
> resource '/servlet/uServlet' headers and data
>
>
> In my server.xml I have
>
> <Engine name="Standalone" defaultHost="localhost" debug="9">
>
> <Host name="localhost" debug="0" appBase="/home/unit" unpackWARs="true"
> autoDeploy="true">
>
>  <Context path=""
>                  docBase="/home/unit"
>                  crossContext="true"
>                  debug="9"
>                  reloadable="false" >
>  </Context>
>
>
> #ls -ls /home/unit/WEB-INF/classes
> total 104
>   32 -rwxrwxrwx    1 apache   apache      32734 Dec 18 21:31
> bbsServlet.class
>    4 drwxrwxrwx    3 apache   apache       4096 Aug 24 22:19 com
>   36 -rw-rw-r--    1 apache   apache      33984 Nov  6 15:43
> EditjsServlet.class
>   32 -rwxrwxrwx    1 apache   apache      31030 Dec 18 21:31
> uServlet.class
>
> Thanks for any Help!!!
>
>
>
>
> --
> To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> For additional commands, e-mail:
> <ma...@jakarta.apache.org>
>
> --
> To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> For additional commands, e-mail:
> <ma...@jakarta.apache.org>
>
>
>
> --
> To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
> For additional commands, e-mail:
<ma...@jakarta.apache.org>
>


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>