Apache 6 CGI Security Exception

Hi ranchers

I'm trying to get cgi working with Tomcat 6 bet keep getting this problem when I try to startup tomcat.

java.lang.SecurityException: Servlet of class org.apache.catalina.servlets.CGIServlet is privileged and cannot be loaded by this web application
at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1134)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:981)
at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4058)
at org.apache.catalina.core.StandardContext.start(StandardContext.java:4364)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:525)
at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:924)
at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:887)
at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:492)
at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1147)
at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:311)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:719)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
at org.apache.catalina.core.StandardService.start(StandardService.java:516)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
at org.apache.catalina.startup.Catalina.start(Catalina.java:578)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)


I can get rid of this exception by changing the context.xml to

<Context reloadable="true" privileged="true">

After reading the FAQ I found out the invoker is EVIL. Is there any way to get cgi working without adding the above?

Also is the invoker really enabled by adding the above? In my web.xml file the invoker servlet and mapping is still commented out. Is this ok?

Appreciate any help

Thanks
Usman
[ May 14, 2008: Message edited by: usman shaikh ]

Welcome to JavaRanch.

Making a web app privileged has nothing to do with the invoker (which, by the way, isn't nearly as evil as using CGI in a Java web app :-)

Hi, thanks for the welcome and reply

Is making an application privileged considered a security flaw? This application needs to be used in a real (non-test) environment so I need to make sure there are no security flaws?

I wouldn't consider it a security flaw if the complete JVM is under your control. If this was a shared environment I'd avoid making apps privileged, though (if it's even allowed).

Originally posted by Ulf Dittmer:

Making a web app privileged has nothing to do with the invoker (which, by the way, isn't nearly as evil as using CGI in a Java web app :-)

That is true but the inverse is not.
Starting in version 6, a web app needs to be privileged in order for the invoker servlet to work.

One more reason not to use it.