Links and file security in java servlets

Discussion in 'Java' started by jonesy, Nov 7, 2006.

  1. jonesy

    jonesy Guest

    I am using java servlets in a website, and I want to have a page that
    displays links to files stored in a location on the server (separate to
    public_html for security reasons).

    The code I have currently works when just calling one file from one
    servlet, but I need a page with a varying number of reports to be
    displayed as links. The file names for each of these links is
    retrieved from a database. The problem I have is that the global
    variable, "project.file", only stores the last row in database's value,
    not an individual value (file name) for each link. So every link
    displayed on the page links to the same document, even though they are
    labelled differently.

    Any ideas would be greatly appreciated.


    The servlet for displaying the links is as follows:

    // connections to database


    while (resultSet.next() == true) // database connection that contains
    the file details
    {
    if (resultSetColours.first()) // used only to compare values
    {
    // Initialising values from database
    String id = resultSet.getString("H5_PROJECT_ID");
    String title = resultSet.getString("H5_PROJECT_TITLE");
    String colour = resultSet.getString("H5_PROJECT_COLOUR");
    String date = resultSet.getString("H5_PROJECT_DATE");
    String link = resultSet.getString("H5_PROJECT_LINK");
    String summary = resultSet.getString("H5_PROJECT_SUMMARY");

    session.setAttribute("project.file", link); // setting the global
    variable to be referenced in servlet below
    session.setAttribute("project.date", date);

    String r = resultSetColours.getString("H5_R");
    String y = resultSetColours.getString("H5_Y");
    String a = resultSetColours.getString("H5_A");
    String o = resultSetColours.getString("H5_O");
    String g = resultSetColours.getString("H5_G");

    // Output summary link and table headings if this is the first time
    through the loop
    if (count == 0)
    {
    // Table headings and formatting
    }

    // HTML table output
    out.println(" <td class='smallfont'> " + id + " </td>\n");
    out.println(" <td> " + title + " </td>\n");

    // Compare value in h5_project database to the static value in the
    h5_colour
    if (colour.equals(r))
    {
    // red
    }
    else if ((colour.equals(y)) || (colour.equals(a)) ||
    (colour.equals(o)))
    {
    // yellow
    }
    else if (colour.equals(g))
    {
    // green
    }
    else
    {
    // do nothing
    }
    out.println("<a href=/servlets/Project_FileOutput>" + link + "
    </a>"); // this calls the servlet below using the global variable.
    the problem i have is that the global variable only stores the last row
    in database's value, not an individual value (file name) for each link.

    }
    }






    The servlet for accessing the files from the separate directory is as
    follows:

    ServletOutputStream out = res.getOutputStream();

    HttpSession session = req.getSession(true);
    session.setMaxInactiveInterval(1200);
    ServletContext context = getServletContext();

    String link = (String) session.getAttribute("project.file"); //
    retrieves global variable from above servlet

    res.setContentType("application/msword");
    res.setHeader("Content-Disposition", "attachment; filename=" + link);

    FileInputStream infis = null;

    try
    {
    infis = new FileInputStream("./myserver/website_files/projects/" +
    link);

    int c;
    while ((c = infis.read()) != -1)
    {
    out.write(c);
    }
    }
    catch (IOException e)
    {
    res.sendRedirect("/nofile.html");
    }
    finally
    {
    if (infis != null)
    {
    infis.close();
    }
    }
    jonesy, Nov 7, 2006
    #1
    1. Advertising

  2. jonesy

    Simon Brooke Guest

    in message <>, jonesy
    ('3" <') wrote:

    > I am using java servlets in a website, and I want to have a page that
    > displays links to files stored in a location on the server (separate to
    > public_html for security reasons).


    You appreciate, I hope, that this is much /less/ secure, not more secure,
    than requiring files which can be served to come only from specified
    places?

    You can certainly use servlets to send any file which the account the
    servlet engine runs as has permission to read, but it's a very dodgy thing
    to do and potentially opens your system security right up. Are you
    convinced that some hostile person cannot use your servlet to get
    at /etc/shadow, for example?

    > The code I have currently works when just calling one file from one
    > servlet, but I need a page with a varying number of reports to be
    > displayed as links. The file names for each of these links is
    > retrieved from a database. The problem I have is that the global
    > variable, "project.file", only stores the last row in database's value,
    > not an individual value (file name) for each link. So every link
    > displayed on the page links to the same document, even though they are
    > labelled differently.


    The following would work. I really, strongly recommend you don't do this.

    package uk.co.weft.badidea;

    import java.io.*;

    import javax.servlet.*;
    import javax.servlet.http.*;


    /**
    * A really dodgy way of sending files to the client
    *
    * @author $author$
    * @version $Revision$
    */
    public class DontDoThis extends HttpServlet
    {
    //~ Methods -------------------------------------------------------

    /**
    * Specialisation: schlurp any specified local file out onto the output
    * stream
    *
    * @param req the request
    * @param res the response
    *
    * @throws ServletException probably doesn't
    * @throws IOException if the file can't be found or can't be read
    */
    protected void doGet( HttpServletRequest req, HttpServletResponse res )
    throws ServletException, IOException
    {
    ServletOutputStream out = res.getOutputStream( );
    String fileName = req.getParameter( "filename" );
    res.setContentType( "text/plain" );

    if ( fileName != null )
    {
    try
    {
    BufferedReader buffy =
    new BufferedReader( new InputStreamReader(
    new FileInputStream( new File( fileName ) ) ) );

    for ( String line = buffy.readLine( ); line != null;
    line = buffy.readLine( ) )
    {
    out.println( line );
    }
    }
    catch ( FileNotFoundException e)
    {
    res.setStatus( HttpServletResponse.SC_NOT_FOUND);
    out.println( "ERROR: file " + fileName + " not found");
    }
    catch ( IOException e)
    {
    res.setStatus( HttpServletResponse.SC_FORBIDDEN);
    out.println( "ERROR: " + e.getLocalizedMessage());
    }
    }
    else
    {
    res.setStatus( HttpServletResponse.SC_NOT_ACCEPTABLE);
    out.println( "ERROR: No value for filename specified");
    }
    }
    }

    > Any ideas would be greatly appreciated.


    Why do you not simply put the files to be accessed into a directory which
    is within your webserver's document root, and use mod_autoindex
    http://httpd.apache.org/docs/2.0/mod/mod_autoindex.html
    to generate an automatic index of that directory? Reinventing perfectly
    good wheels is rarely sensible and even more rarely secure.

    --
    (Simon Brooke) http://www.jasmine.org.uk/~simon/

    ;; how did we conclude that a fucking cartoon mouse is deserving
    ;; of 90+ years of protection, but a cure for cancer, only 14?
    -- user 'Tackhead', in /. discussion of copyright law, 22/05/02
    Simon Brooke, Nov 7, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jim
    Replies:
    4
    Views:
    6,979
  2. lsprtt
    Replies:
    1
    Views:
    482
    Christophe Vanfleteren
    Oct 16, 2003
  3. Jochen Fliedner

    literature java servlets / java tv / mhp

    Jochen Fliedner, Nov 27, 2003, in forum: Java
    Replies:
    0
    Views:
    458
    Jochen Fliedner
    Nov 27, 2003
  4. Bura Tino
    Replies:
    7
    Views:
    482
    Michael Borgwardt
    Apr 16, 2004
  5. Garrett Smith
    Replies:
    14
    Views:
    298
    David Mark
    May 26, 2009
Loading...

Share This Page