I posted a new blog entry today on why the Tomcat InvokerServlet is evil, if you are interested check it out and pass it on. I noted at the end of the post that I am looking into adding a SecureInvokerServlet in ESAPI that provides the same functionality as the InvokerServlet with all the security controls that such a servlet should be performing built in.<div>
<br></div><div><a href="http://yet-another-dev.blogspot.com/2009/12/this-post-is-especially-for-anyone.html">http://yet-another-dev.blogspot.com/2009/12/this-post-is-especially-for-anyone.html</a></div><div><a href="http://yet-another-dev.blogspot.com/2009/12/this-post-is-especially-for-anyone.html"></a><br clear="all">
<br>-- <br>-- Chris<br><br>OWASP ESAPI Developer<br><a href="http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API">http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API</a><br><br>Check out OWASP ESAPI for Java<br>
<a href="http://code.google.com/p/owasp-esapi-java/">http://code.google.com/p/owasp-esapi-java/</a><br><br>Coming soon OWASP ESAPI for JavaScript<br><a href="http://code.google.com/p/owasp-esapi-js/">http://code.google.com/p/owasp-esapi-js/</a><br>

</div>