File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Security and the fly likes Which to permission to grant to allow reading files from inside JAR files. Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Soft Skills this week in the Jobs Discussion forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Which to permission to grant to allow reading files from inside JAR files." Watch "Which to permission to grant to allow reading files from inside JAR files." New topic
Author

Which to permission to grant to allow reading files from inside JAR files.

Sebastian Himberger
Greenhorn

Joined: Jan 26, 2005
Posts: 8
Howdy,

i have a question/problem regarding reading files from a JAR file with active SecurityManager. I don't know if i'm right in this forum. Please correct me if i should eventually post in the "Java in general" forums.

The Problem

I have a webapplication which loads a properties file from inside a JAR file. This causes an Exception like this:



Notice that the URL contains a "...securitytest.jar!/de/...". If i grant specific access to this file using a policy like this:



I still get the AccessControlException. Enabling the <<ALL FILES>> policy works but is in my opinion no feasible solution.

Does anybody know how to allow the application to read the file and which permissions i have to grant. I Also tried the URLs:

  • home/sebastian/-
  • home/sebastian/securitytest.jar!/-


  • Any hints or (better ) solutions would be greatly appreciated.

    Code to reproduce
    SecurityTest.java

    contents.properties


    You have to create a jar (i did it using Eclipse).

    The commandline (using SUNs Java):


    Thanks very much in advance!

    Edit: I know that i could circumvent this problem if catch the AccessControlException and ignore it but unfortuneionatly this code is in a 3rd party JAR.

    best regards,
    Sebastian

    [ May 04, 2007: Message edited by: Sebastian Himberger ]

    [ May 04, 2007: Message edited by: Sebastian Himberger ]
    [ May 04, 2007: Message edited by: Sebastian Himberger ]
    Rahul Bhattacharjee
    Ranch Hand

    Joined: Nov 29, 2005
    Posts: 2308
    Few things that you might want to check.

    Its the right forum to ask security related queries.

    1> Generally web containers override the policy file of the jdk.You have to make changes in the policy file of the container.

    2> You have to grant file permission to the code that is trying to load the property file , not to the property file itself.

    File permission would have argument as the jar that has the property file and action would be read , this permission should be granted to the jar which has the code to read the property file.

    Hope this helps,


    Rahul Bhattacharjee
    LinkedIn - Blog
    Sebastian Himberger
    Greenhorn

    Joined: Jan 26, 2005
    Posts: 8
    Hi,

    first of all: Thanks very much for the answer.

    I've checked that the container is using my policies and granted the permissions to either the complete codebase (for testing) and also to the specific webapplication using:

    file:/tomcathome/webapps/mywebapp/-

    The problem is imho that java is not able (or i'm not able to tell it ) to handle this kind of URL. You can see this if you add the following inside the IOException catch block:



    You'll see that if you're running the code without a security manager an IOException "File not found" will be thrown. If the security manager is enabled the right to access this (for Java IO not accessible) file is checked and fails because this kind of URL seems not to be handled by my policies. Therefore the method returns with the AccessControlException .

    My only idea is either enabling file reading for all files or patch the library what could be a maintenance problem.

    Any ideas left?

    thanks very much,
    Sebastian
    [ May 04, 2007: Message edited by: Sebastian Himberger ]
    Rahul Bhattacharjee
    Ranch Hand

    Joined: Nov 29, 2005
    Posts: 2308
    You can try out this.Use Absolute location , if this works then try using some TOMCAT or CATILINA varialbe in the path .AtLeast you will come to know what exactly is the promble.

    permission java.io.FilePermission "c:\myHome\securitytest.jar!\de\himberger\demo\securitytest\contents.properties", "read";

    read is correct action.

    Can you not try to give a code permission to read the complete jar instead of only a file in that.
    [ May 04, 2007: Message edited by: Rahul Bhattacharjee ]
    Ulf Dittmer
    Marshal

    Joined: Mar 22, 2005
    Posts: 42910
        
      68
    Would giving permissions to read all of the jar file work (i.e., without the part about the path inside of the file)? I doubt that file permissions work on a level more fine-grained than a complete file.
    Sebastian Himberger
    Greenhorn

    Joined: Jan 26, 2005
    Posts: 8
    Hi together,

    thanks very much for the help. It seems that i simply had overseen a wrong path. In the lib some kind of path normalization happend which produces an url like:

    '/var/lib/tomcat5.5/conf/file:/var/lib/tomcat5.5/webapps/.../WEB-INF/lib/lib.jar!/.../*.properties'

    i simply didn't spot the '/var/lib/tomcat5.5/conf/' prefix. This is definetly a bug/problem in the lib so i have to patch it and write a bug report so that it'll produce a correct url.

    I wrote a small Program which tests the permissions.



    It outputs:



    So even my first attempt should have worked if the URL wasn't that buggy (i hate those problems ). Sorry for having bothered you and thanks very very much for the advices.

    best regards
    Sebastian
     
    I agree. Here's the link: http://aspose.com/file-tools
     
    subject: Which to permission to grant to allow reading files from inside JAR files.