Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Our current web application url reveals the class package structure to the end user. This is because in web.xml the servlet mapping tag is as follows
Servlet_ name
/servlet/com.xxx.yyy.ClassName
Is there any way by which i can hide the package structure. i.e com.xxx.yyy.ClassName to just ClassName?
Thanks
Sameer
This is recognizeable as an old and vulrenable feature of Tomcat’s builtin
InvokerServlet. To fix this, disable it in Tomcat’s/conf.web.xmlby removing or outcommenting the<servlet>and<servlet-mapping>entries associated with<servlet-name>invoker</servlet-name>.This was a security hole in the ancient Tomcat versions and was fixed in Tomcat 5 and upwards where it is been deprecated and by default disabled. It will be removed in Tomcat 7.
You need to explicitly define all of the servlets in webapp’s
web.xmlyourself along with a decenturl-pattern. If you have pretty a lot of servlets, consider the Front Controller Pattern, i.e. just only one servlet which delegates and executes the desired business logic based on under each the request method, request URI, request pathinfo and so on.