Application Server Solutions for Microsoft IIS and ASP.NET
       solutions   products   partners   company   support   downloads         store
ServletExec Self-Help: FAQ
Back to Search >  Back to Search Results

Faq ID 354
Product ServletExec
Category Security
Question Why (and how) do I disable the invoker servlet?
Answer

The /servlet/* prefix alias is used to invoke any servlet you wish. It can be used to invoke a servlet in either its configured state
(/servlet/MyConfiguredServlet) or in its unconfigured state
(/servlet/com.mycompany.myservlets.MyServlet).

Depending on your servlet, what it does, and how it does it... allowing it to be invoked in an unconfigured manner may pose problems for your application ranging from bothersome behavior all the way up to unacceptable security issues.
For this reason it's generally advisable to "disable the invoker servlet" by overriding the /servlet/* prefix alias mapping as described below:

This is done on a per-webapp basis.
Initially, every webapp has its own instance of the invoker servlet, and it's own /servlet/* prefix alias mapping which is mapped to that invoker servlet. Both the servlet and it's mapping are implicit... meaning they are built-in & hidden.
The best and most portable, Servlet-Specification-compliant way to disable this is to simply define your own harmless servlet in your webapp's web.xml file and then override the /servlet/* mapping. For example:
<servlet>
  <servlet-name>DisabledInvoker</servlet-name>
  <jsp-file>/noInvoker.jsp</jsp-file>
</servlet>

<servlet-mapping>
  <servlet-name>DisabledInvoker</servlet-name>
  <url-pattern>/servlet/*</url-pattern>
</servlet-mapping>



The noInvoker.jsp file could do something harmless such as return a "Sorry, you can't do that" message, or redirect the user to something else, or whatever you want it to do. That JSP would not even need to contain any JSP code if you don't want it to. It could just contain simple HTML if you like. It's up to you.
Then, you should design your web app so that your servlets are configured and have aliases mapped to their configured names so that they can be invoked using the aliases you setup. Exact aliases (/exact) or Prefix aliases (/prefix/*) are probably best to use for invoking your servlets, although suffix aliases could be used if you wish (for example *.do mapping to the Struts ActionServlet).

Readers of this FAQ may also find SE FAQ #298 to be of interest.



   
company media information terms of use privacy policy contact us