permaculture playing cards*
The moose likes Servlets and the fly likes Oh my!  Did I do a bad thing (security issue). Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Oh my!  Did I do a bad thing (security issue)." Watch "Oh my!  Did I do a bad thing (security issue)." New topic
Author

Oh my! Did I do a bad thing (security issue).

Darrin Smith
Ranch Hand

Joined: Aug 04, 2003
Posts: 276
I have a servlet that reads images from a database. When the image isn't there, I want to read a default image.

Now, I know that I can have a default image on disk, but since there is already a default image inside of the resource of my web app, I thought that it would be best to read it from there. When I try that though I get this:

[#|2005-06-20T15:13:50.917-0500|INFO|sun-appserver-pe8.0.0_01|javax.enterprise.system.stream.out|_ThreadID=16;|
access denied (org.apache.naming.JndiPermission jndi:/server/myapp/resources/noimage.JPG)|#]

[#|2005-06-20T15:13:50.917-0500|WARNING|sun-appserver-pe8.0.0_01|javax.enterprise.system.stream.err|_ThreadID=16;|
java.security.AccessControlException: access denied (org.apache.naming.JndiPermission jndi:/server/myapp/resources/noimage.JPG)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:269)
at java.security.AccessController.checkPermission(AccessController.java:401)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:524)
at sun.awt.SunToolkit.getImageFromHash(SunToolkit.java:437)
at sun.awt.SunToolkit.getImage(SunToolkit.java:490)
at javax.swing.ImageIcon.<init>(ImageIcon.java:119)


The code I'm using looks like this:



I think that you should be able to set the permission in the server.policy file up to allow this, but the bigger issue is should this even be done to begin with? In other words, is this really a "bad thing" to do (read the image that the servlet needs from the resources)?

If not, any pointers on what the permission should look like?

My guess is:


but that is just a guess!

Thanks.
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
 
subject: Oh my! Did I do a bad thing (security issue).
 
Similar Threads
This bundle has no bean of name error on GlassFish 2.1.1
Server startup issue
Deploy struts app
Cannot initialize endpoint : error is : Java heap space|#] and server won't start
java.net.URISyntaxException: Illegal character in path