Links and file security in java servlets

J

jonesy

I am using java servlets in a website, and I want to have a page that
displays links to files stored in a location on the server (separate to
public_html for security reasons).

The code I have currently works when just calling one file from one
servlet, but I need a page with a varying number of reports to be
displayed as links. The file names for each of these links is
retrieved from a database. The problem I have is that the global
variable, "project.file", only stores the last row in database's value,
not an individual value (file name) for each link. So every link
displayed on the page links to the same document, even though they are
labelled differently.

Any ideas would be greatly appreciated.


The servlet for displaying the links is as follows:

// connections to database


while (resultSet.next() == true) // database connection that contains
the file details
{
if (resultSetColours.first()) // used only to compare values
{
// Initialising values from database
String id = resultSet.getString("H5_PROJECT_ID");
String title = resultSet.getString("H5_PROJECT_TITLE");
String colour = resultSet.getString("H5_PROJECT_COLOUR");
String date = resultSet.getString("H5_PROJECT_DATE");
String link = resultSet.getString("H5_PROJECT_LINK");
String summary = resultSet.getString("H5_PROJECT_SUMMARY");

session.setAttribute("project.file", link); // setting the global
variable to be referenced in servlet below
session.setAttribute("project.date", date);

String r = resultSetColours.getString("H5_R");
String y = resultSetColours.getString("H5_Y");
String a = resultSetColours.getString("H5_A");
String o = resultSetColours.getString("H5_O");
String g = resultSetColours.getString("H5_G");

// Output summary link and table headings if this is the first time
through the loop
if (count == 0)
{
// Table headings and formatting
}

// HTML table output
out.println(" <td class='smallfont'> " + id + " </td>\n");
out.println(" <td> " + title + " </td>\n");

// Compare value in h5_project database to the static value in the
h5_colour
if (colour.equals(r))
{
// red
}
else if ((colour.equals(y)) || (colour.equals(a)) ||
(colour.equals(o)))
{
// yellow
}
else if (colour.equals(g))
{
// green
}
else
{
// do nothing
}
out.println("<a href=/servlets/Project_FileOutput>" + link + "
</a>"); // this calls the servlet below using the global variable.
the problem i have is that the global variable only stores the last row
in database's value, not an individual value (file name) for each link.

}
}






The servlet for accessing the files from the separate directory is as
follows:

ServletOutputStream out = res.getOutputStream();

HttpSession session = req.getSession(true);
session.setMaxInactiveInterval(1200);
ServletContext context = getServletContext();

String link = (String) session.getAttribute("project.file"); //
retrieves global variable from above servlet

res.setContentType("application/msword");
res.setHeader("Content-Disposition", "attachment; filename=" + link);

FileInputStream infis = null;

try
{
infis = new FileInputStream("./myserver/website_files/projects/" +
link);

int c;
while ((c = infis.read()) != -1)
{
out.write(c);
}
}
catch (IOException e)
{
res.sendRedirect("/nofile.html");
}
finally
{
if (infis != null)
{
infis.close();
}
}
 
S

Simon Brooke

jonesy said:
I am using java servlets in a website, and I want to have a page that
displays links to files stored in a location on the server (separate to
public_html for security reasons).
Click to expand...

You appreciate, I hope, that this is much /less/ secure, not more secure,
than requiring files which can be served to come only from specified
places?

You can certainly use servlets to send any file which the account the
servlet engine runs as has permission to read, but it's a very dodgy thing
to do and potentially opens your system security right up. Are you
convinced that some hostile person cannot use your servlet to get
at /etc/shadow, for example?
The code I have currently works when just calling one file from one
servlet, but I need a page with a varying number of reports to be
displayed as links. The file names for each of these links is
retrieved from a database. The problem I have is that the global
variable, "project.file", only stores the last row in database's value,
not an individual value (file name) for each link. So every link
displayed on the page links to the same document, even though they are
labelled differently.
Click to expand...

The following would work. I really, strongly recommend you don't do this.

package uk.co.weft.badidea;

import java.io.*;

import javax.servlet.*;
import javax.servlet.http.*;


/**
* A really dodgy way of sending files to the client
*
* @author $author$
* @version $Revision$
*/
public class DontDoThis extends HttpServlet
{
//~ Methods -------------------------------------------------------

/**
* Specialisation: schlurp any specified local file out onto the output
* stream
*
* @param req the request
* @param res the response
*
* @throws ServletException probably doesn't
* @throws IOException if the file can't be found or can't be read
*/
protected void doGet( HttpServletRequest req, HttpServletResponse res )
throws ServletException, IOException
{
ServletOutputStream out = res.getOutputStream( );
String fileName = req.getParameter( "filename" );
res.setContentType( "text/plain" );

if ( fileName != null )
{
try
{
BufferedReader buffy =
new BufferedReader( new InputStreamReader(
new FileInputStream( new File( fileName ) ) ) );

for ( String line = buffy.readLine( ); line != null;
line = buffy.readLine( ) )
{
out.println( line );
}
}
catch ( FileNotFoundException e)
{
res.setStatus( HttpServletResponse.SC_NOT_FOUND);
out.println( "ERROR: file " + fileName + " not found");
}
catch ( IOException e)
{
res.setStatus( HttpServletResponse.SC_FORBIDDEN);
out.println( "ERROR: " + e.getLocalizedMessage());
}
}
else
{
res.setStatus( HttpServletResponse.SC_NOT_ACCEPTABLE);
out.println( "ERROR: No value for filename specified");
}
}
}
Any ideas would be greatly appreciated.
Click to expand...

Why do you not simply put the files to be accessed into a directory which
is within your webserver's document root, and use mod_autoindex
http://httpd.apache.org/docs/2.0/mod/mod_autoindex.html
to generate an automatic index of that directory? Reinventing perfectly
good wheels is rarely sensible and even more rarely secure.

--
(e-mail address removed) (Simon Brooke) http://www.jasmine.org.uk/~simon/

;; how did we conclude that a fucking cartoon mouse is deserving
;; of 90+ years of protection, but a cure for cancer, only 14?
-- user 'Tackhead', in /. discussion of copyright law, 22/05/02
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

servlets and jsp doubt 10
Browser back/forward button and Java Servlets 4
Hidden Fields in Java Servlets - help!!! 7
Only one table shows up with the information 2
servlets question about dopost and doget 4
Using Java Servlets and XHTML 1
problem in file upload 2
Image Upload in jsp or servlet 0

Members online

Total: 40 (members: 1, guests: 39)
Robots: 319

Forum statistics

Threads
473,767
Messages
2,569,571
Members
45,045
Latest member
DRCM

Latest Threads

Top