users@glassfish.java.net

Re: glassfihs and resoures from the system

From: Wolfram Rittmeyer <w.rittmeyer_at_jsptutorial.org>
Date: Fri, 01 Feb 2008 21:31:09 +0100

glassfish_at_javadesktop.org wrote:
> Hi,
>
> I have a glassfish running on my server. What I would like to do is to give my webaplications possobility to reach some files in a file system.
>

Hi,


this is of course possible - though you have to be very careful to not
accidentally allow attackers to traverse your filesystem and get
valuable information about your system.


> For example I have some pictures in /home/paul/pictures and I would like create web gallery showing those pictures. How do I do that? Is it even possible?

Since you are obviously using a Unix-based system the easiest way to do
so would be to use a symlink - if you are using directory-deployed
webapps. Following symbolic links is disabled by default so you have to
enable it and restart the server afterwards:

asadmin set
server.http-service.virtual-server.server.property.allowLinking=true

Of course you can also use the web based admin console or edit the file
domain.xml directly.

For anyone reading this but using Windows instead: This feature exposes
JSP source files. So use this with extreme caution!


You could also use a Servlet that reads the file, sets the content-type
of the response and returns the actual bytes using the
ServletOutputStream. To be able to access the file system you most
probably would have to edit the server.policy file. This file determines
what the apps of your domain are allowed to do. You have to set the
permission java.io.FilePermission so that the directory containing your
files is readable.


Regards,

Wolfram Rittmeyer


> [Message sent by forum member 'paulszulc' (paulszulc)]
>

> http://forums.java.net/jive/thread.jspa?messageID=257043
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>