Re: Rationale for makeing Invoker harder to user

Wed, 14 Mar 2007 17:23:01 -0800 

Tim Funk wrote:

http://tomcat.apache.org/faq/misc.html#evil

-Tim

Paul Mendelson wrote:
I recently installed Tomacat 6.0 and see that I now need to make my web application privalaged in order to use InvokerServlet to allow users to execute arbitrary servlets. This seems to continue a trend that may eventually result in Invoker being widthdrawn.
My question is why is allowing execution of arbitrary servlets so discouraged. In my opinion JSPs are essentially servlets with a differnt deployment convention and there is no prohibition on running jsps without "registering them."
I like to build web applications with hundreds of servlets and I prefer not to explicitly define each one in web.xml. Is there any sanctioned method of doing this in a tomcat world? 



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

I have seen this rationale before but have not found it very satisfying:
1. No one is suggesting putting this sort of limitation on JSPs even though they are explicitly declared. 2. If random servlets in random places is a great concern why can't we add some qualifiers to the invoker's classpath 3. I find the security concern of mapping /xxx/* to invoker overrated. Can't I put a security constraint on /xxx/* if I want to? 4. I realize that a servlet that is mapped can also be loaded by invoker. I don't why a developer would conciously map invoker and also map the servlet that they new was mapped by invoker. Unless the developer in that case was not concerned about 2 copies of 1 servlet running.
I don't expect tomcat to change its policy but i'm wondering what sort of design patterns are being used by developers who don't want to deploy JSPs or JSFs and who don't want to explicitly map each user addressable bit of functionality in web.xml.
I'm hopping to find a replacement design pattern before tomcat retires Invoker altogether. 

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to