jQuery in Action, 3rd edition
The moose likes Servlets and the fly likes Having problems with Security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "Having problems with Security" Watch "Having problems with Security" New topic

Having problems with Security

Corey McGlone
Ranch Hand

Joined: Dec 20, 2001
Posts: 3271
I'm using a servlet to allow users to upload files to a designated area of my web server. (Actually, it's a hosted server running Apache Tomcat.)
The servlet, of course, is found in /WEB-INF/classes/...
However, I'm trying to write the files to /tempUploadedFiles.
Whenever I try to write the files, however, I get the following exception:
java.security.AccessControlException: access denied (java.io.FilePermission /tempUploadedFiles read)
Is it possible for a servlet to write out a file outside the WEB-INF directory? I don't really know that much about servlets so this has been a lot of trial and error for me. When I execut this on my local box, I have no problem writing files elsewhere on my machine but I'm having problems executing this on the server.
I've even tried modifying the permissions on that directory (to 777) in hopes that the error would go away but no such luck.
Anyone have any ideas?

SCJP Tipline, etc.
Frank Carver

Joined: Jan 07, 1999
Posts: 6920
Although it is possible on some systems to read/write arbitrary directories from a servlet this is neither dependable nor desirable. Using such a feature ties your application to the current machine and configuration, and relies on the server running as a user with permission to access such things.
However, the servlet spec does provide a solution for many of the problems that you might consider using this sort of thing for. Every servlet container which meets a reasonably recent version the spec is required to ensure that there is at least one directory which your application is explicitly allowed to write to. Best of all, it is required to provide a different directory for each application.
To access this directory, do something such as:

You can then use this directory as a "root" for all your file reading and writing needs.

Read about me at frankcarver.me ~ Raspberry Alpha Omega ~ Frank's Punchbarrel Blog
Corey McGlone
Ranch Hand

Joined: Dec 20, 2001
Posts: 3271
Well, that was very helpful, Frank, but I ran into another issue. Let's see if you can follow this one...
The server I'm working on is not my own - it's a hosted server. Therefore, I don't get to make all the rules and I don't have access to every directory on the server. Well, it just so happens that the directory that I am able to write to (using the method you described above) is not accessible (at least not by me logging into a FTP client). So, my servlet may be able to write files there all day long but I'd never be able to see them to verify that or clean up. That certainly puts a damper on any sort of development effort using that directory.
I already spoke with my hosting company and they've told me that they can't grant me access to that directory as it would require giving me root access. Okay, that's understandable, but it leaves me in a bit of a bind.
So, after all that, here's my next question. Why can't I put the files in any old directory? I realize that it binds me to a given configuration, but that's okay with me - I can deal with that. However, when I try to get the files to write to a specific directory, I get this error:
java.security.AccessControlException: access denied (java.io.FilePermission /home/virtual/site189/fst/var/www/html/uploads/tempUploadedFiles/draft.xls write)
That directory exists and has permissions set to 777 to allow anyone read and write access, but I still get this error. I assume that there must be another configuration option to change this behavior but it's well beyond me to know what it is. Do you have any ideas about that one?
Thanks again.
Corey McGlone
Ranch Hand

Joined: Dec 20, 2001
Posts: 3271
Yet another thought, is it possible to configure where that directory (the one that the app server can write to) is located? If I can't get to it where it is now, can it be changed so that I can get to it? Do you know what I'm getting at? Can the location for getServletContext().getAttribute("javax.servlet.context.tempdir") be modified?
Lasse Koskela

Joined: Jan 23, 2002
Posts: 11962
Corey, you could ask your hosting provider to add a java.io.FilePermission for the directory to the server's policy file (unless you have access to it on your own).
Possibly something like
[ September 10, 2003: Message edited by: Lasse Koskela ]

Author of Test Driven (2007) and Effective Unit Testing (2013) [Blog] [HowToAskQuestionsOnJavaRanch]
Corey McGlone
Ranch Hand

Joined: Dec 20, 2001
Posts: 3271
Thanks, Lasse, that may be just what I need. However, I've run into a bit of a snag testing this out (I'm definitely in over my head when it comes to the Tomcat app server configuration).
I added this line to my catalina.policy file (this is on my local box - it would look a little different on the web server):
grant {
permission java.io.FilePermission "C:\jakarta-tomcat-4.0.6\webapps\relion\uploads\*", "write";
However, when I use the command "startup -security" to have it use the security manager, I get the following error when accessing my servlet:

That certainly looks like a classpath problem, but I have no idea where that class is. I've looked through all of the JAR files that come with Tomcat and haven't found it in any of them. Anyone know where this class file is?
I agree. Here's the link: http://aspose.com/file-tools
subject: Having problems with Security
It's not a secret anymore!