|
»
»
Rationale for makeing Invoker harder to user
|
View:
New views
6 Messages
—
Rating Filter:
Alert me
|
 |
Rationale for makeing Invoker harder to user
by pmendelson
::
Rate this Message:
I recently installed Tomacat 6.0 and see that I now need to make my web
application privalaged in order to use InvokerServlet to allow users to execute arbitrary servlets. This seems to continue a trend that may eventually result in Invoker being widthdrawn. My question is why is allowing execution of arbitrary servlets so discouraged. In my opinion JSPs are essentially servlets with a differnt deployment convention and there is no prohibition on running jsps without "registering them." I like to build web applications with hundreds of servlets and I prefer not to explicitly define each one in web.xml. Is there any sanctioned method of doing this in a tomcat world? --------------------------------------------------------------------- To start a new topic, e-mail: users@... To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... |
|
|
Re: Rationale for makeing Invoker harder to user
by Peter Pk
::
Rate this Message:
I am a newbee here but as a work around, I would think you could have
a "master" servlet and it could scan and load all the servlets in the directory into a map, and then dispatch requests to them from "/*" (having them properly initialized in another question) I would be interested in the official answer :) At 18:19 3/14/2007, you wrote: >I recently installed Tomacat 6.0 and see that I now need to make my >web application privalaged in order to use InvokerServlet to allow >users to execute arbitrary servlets. This seems to continue a trend >that may eventually result in Invoker being widthdrawn. > >My question is why is allowing execution of arbitrary servlets so >discouraged. In my opinion JSPs are essentially servlets with a >differnt deployment convention and there is no prohibition on >running jsps without "registering them." > >I like to build web applications with hundreds of servlets and I >prefer not to explicitly define each one in web.xml. Is there any >sanctioned method of doing this in a tomcat world? > >--------------------------------------------------------------------- >To start a new topic, e-mail: users@... >To unsubscribe, e-mail: users-unsubscribe@... >For additional commands, e-mail: users-help@... --------------------------------------------------------------------- To start a new topic, e-mail: users@... To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... |
|
|
Re: Rationale for makeing Invoker harder to user
by Tim Funk
::
Rate this Message:
http://tomcat.apache.org/faq/misc.html#evil
-Tim Paul Mendelson wrote: > I recently installed Tomacat 6.0 and see that I now need to make my web > application privalaged in order to use InvokerServlet to allow users to > execute arbitrary servlets. This seems to continue a trend that may > eventually result in Invoker being widthdrawn. > > My question is why is allowing execution of arbitrary servlets so > discouraged. In my opinion JSPs are essentially servlets with a > differnt deployment convention and there is no prohibition on running > jsps without "registering them." > > I like to build web applications with hundreds of servlets and I prefer > not to explicitly define each one in web.xml. Is there any sanctioned > method of doing this in a tomcat world? > --------------------------------------------------------------------- To start a new topic, e-mail: users@... To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... |
|
|
Re: Rationale for makeing Invoker harder to user
by pmendelson
::
Rate this Message:
Tim Funk wrote:
> http://tomcat.apache.org/faq/misc.html#evil > > -Tim > > Paul Mendelson wrote: >> I recently installed Tomacat 6.0 and see that I now need to make my >> web application privalaged in order to use InvokerServlet to allow >> users to execute arbitrary servlets. This seems to continue a trend >> that may eventually result in Invoker being widthdrawn. >> >> My question is why is allowing execution of arbitrary servlets so >> discouraged. In my opinion JSPs are essentially servlets with a >> differnt deployment convention and there is no prohibition on running >> jsps without "registering them." >> >> I like to build web applications with hundreds of servlets and I >> prefer not to explicitly define each one in web.xml. Is there any >> sanctioned method of doing this in a tomcat world? >> > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@... > To unsubscribe, e-mail: users-unsubscribe@... > For additional commands, e-mail: users-help@... 1. No one is suggesting putting this sort of limitation on JSPs even though they are explicitly declared. 2. If random servlets in random places is a great concern why can't we add some qualifiers to the invoker's classpath 3. I find the security concern of mapping /xxx/* to invoker overrated. Can't I put a security constraint on /xxx/* if I want to? 4. I realize that a servlet that is mapped can also be loaded by invoker. I don't why a developer would conciously map invoker and also map the servlet that they new was mapped by invoker. Unless the developer in that case was not concerned about 2 copies of 1 servlet running. I don't expect tomcat to change its policy but i'm wondering what sort of design patterns are being used by developers who don't want to deploy JSPs or JSFs and who don't want to explicitly map each user addressable bit of functionality in web.xml. I'm hopping to find a replacement design pattern before tomcat retires Invoker altogether. --------------------------------------------------------------------- To start a new topic, e-mail: users@... To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... |
|
|
RE: Rationale for makeing Invoker harder to user
by Tim Lucia
::
Rate this Message:
> -----Original Message----- > From: Tim Funk [mailto:funkman@...] > Sent: Wednesday, March 14, 2007 8:39 PM > To: Tomcat Users List > Subject: Re: Rationale for makeing Invoker harder to user > > http://tomcat.apache.org/faq/misc.html#evil Keep in mind this opens with "This is opinions of the writer (YMMV)" [sic] There are of course two sides to this. My current employer has a design where everything is invoked using the invoker servlet, and there is little hope of changing that. In fact, they exploit this as part of the application design. ] Configuration hiding - There is NO way to determine which ] servlets are used vs which are not used. In web.xml, every servlet ] is declared and mapped. In that one file you instantly have a road ] map to how the webapp works. The configuration for this application is explicit -- it's in a database full of application and navigation tables. So while the configuration isn't explicit in web.xml, for example, the configuration is explicit in the database. No sevlet class name in the database? Then it's not used. ] Back doors. Servlets which are mapped can be alternately called via ] the invoker by class name. Since the URL is different, all security ] constraints might be ignored since the URL pattern is VERY different. Security is implemented explicitly in the servlet suite, so the mapping of a url pattern to a security constraint is not necessary either. Many applications chose to manage their own security. Some of our customers are still using Windows 98, and IE 5 too. GASP! Is this the ideal solution? Maybe, maybe not. It doesn't completely refute all points made in the posted link. The application design is meant for rapid deployment of lots of small changes as we are constantly scrambling to make changes for compliance with state law changes, and at the moment the invoker servlet figures heavily in that design. ] [SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability One could argue that as Tomcat gets more and more mature and vetted, the odds of a security problem being present go down, and hence the risk of using the invoker servlet does as well. I've been tempted to download 6.0 and try it out, but now knowing that the app needs to be privileged turns me off. Tim > -Tim > > Paul Mendelson wrote: > > I recently installed Tomacat 6.0 and see that I now need to make my web > > application privalaged in order to use InvokerServlet to allow users to > > execute arbitrary servlets. This seems to continue a trend that may > > eventually result in Invoker being widthdrawn. > > > > My question is why is allowing execution of arbitrary servlets so > > discouraged. In my opinion JSPs are essentially servlets with a > > differnt deployment convention and there is no prohibition on running > > jsps without "registering them." > > > > I like to build web applications with hundreds of servlets and I prefer > > not to explicitly define each one in web.xml. Is there any sanctioned > > method of doing this in a tomcat world? > > > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@... > To unsubscribe, e-mail: users-unsubscribe@... > For additional commands, e-mail: users-help@... --------------------------------------------------------------------- To start a new topic, e-mail: users@... To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... |
|
|
Re: Rationale for makeing Invoker harder to user
by Peter Pk
::
Rate this Message:
At 20:38 3/14/2007, you wrote:
>http://tomcat.apache.org/faq/misc.html#evil > >-Tim All very good points escpecially since it will load classes outside the webapps sandbox. Definately evil. What I would probably do in the large # of servlets situation for a single webapp during development is generate the web.xml file as part of the build process and have the build scan the proper source directory and create it dynamicly before deployment. Alas hard to do in ant without scripts but would make development easier. PK >Paul Mendelson wrote: >>I recently installed Tomacat 6.0 and see that I now need to make my >>web application privalaged in order to use InvokerServlet to allow >>users to execute arbitrary servlets. This seems to continue a >>trend that may eventually result in Invoker being widthdrawn. >>My question is why is allowing execution of arbitrary servlets so >>discouraged. In my opinion JSPs are essentially servlets with a >>differnt deployment convention and there is no prohibition on >>running jsps without "registering them." >>I like to build web applications with hundreds of servlets and I >>prefer not to explicitly define each one in web.xml. Is there any >>sanctioned method of doing this in a tomcat world? > >--------------------------------------------------------------------- >To start a new topic, e-mail: users@... >To unsubscribe, e-mail: users-unsubscribe@... >For additional commands, e-mail: users-help@... --------------------------------------------------------------------- To start a new topic, e-mail: users@... To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... |
| Free embeddable forum powered by Nabble | Forum Help |
