Win a copy of Mesos in Action this week in the Cloud/Virtualizaton forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Oh my! Did I do a bad thing (security issue).

 
Darrin Smith
Ranch Hand
Posts: 276
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have a servlet that reads images from a database. When the image isn't there, I want to read a default image.

Now, I know that I can have a default image on disk, but since there is already a default image inside of the resource of my web app, I thought that it would be best to read it from there. When I try that though I get this:

[#|2005-06-20T15:13:50.917-0500|INFO|sun-appserver-pe8.0.0_01|javax.enterprise.system.stream.out|_ThreadID=16;|
access denied (org.apache.naming.JndiPermission jndi:/server/myapp/resources/noimage.JPG)|#]

[#|2005-06-20T15:13:50.917-0500|WARNING|sun-appserver-pe8.0.0_01|javax.enterprise.system.stream.err|_ThreadID=16;|
java.security.AccessControlException: access denied (org.apache.naming.JndiPermission jndi:/server/myapp/resources/noimage.JPG)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:269)
at java.security.AccessController.checkPermission(AccessController.java:401)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:524)
at sun.awt.SunToolkit.getImageFromHash(SunToolkit.java:437)
at sun.awt.SunToolkit.getImage(SunToolkit.java:490)
at javax.swing.ImageIcon.<init>(ImageIcon.java:119)


The code I'm using looks like this:



I think that you should be able to set the permission in the server.policy file up to allow this, but the bigger issue is should this even be done to begin with? In other words, is this really a "bad thing" to do (read the image that the servlet needs from the resources)?

If not, any pointers on what the permission should look like?

My guess is:


but that is just a guess!

Thanks.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic