I need to restrict access to WAR plug-in files containing servlets in embedded Jetty. To check file permissions, I created a WAR containing this servlet that tries to write the file outside of the webapps folder:
public class Test extends HttpServlet { protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { try { FileWriter outFile = new FileWriter("C:\\temp\\test.txt"); PrintWriter out = new PrintWriter(outFile); out.println("This is line 1"); out.println("This is line 2"); out.close(); response.getWriter().print("File created"); } catch(Exception e) { response.getWriter().print(e.getMessage()); e.printStackTrace(); } } }
A WAR containing this servlet is then added to the Jetty built-in handlers with the file permission set as follows:
jetty = new Server(serverPort); handlers = new HandlerList(); ... (adding standard Web Apps here) ... WebAppContext plugin = new WebAppContext(); //Create file permissions policy PermissionCollection pcol = new Permissions(); FilePermission fp = new FilePermission(path_to_war, "read"); pcol.add(fp); plugin.setPermissions(pcol); plugin.setContextPath("/plugins/plugin_name"); plugin.setWar(path_to_war); plugin.setCopyWebDir(false); plugin.setCopyWebInf(false); plugin.setExtractWAR(false); handlers.addHandler(plugin); jetty.setHandler(handlers); jetty.start();
However, the servlet is still able to create and write to a test output file - I'm not sure why ... I was looking for an example of code that implements certain permissions for individual web applications, but I found very little information about this topic. My best guess is that WebAppContext "inherits" the File Permission policy from the deployment application.
Can someone point me in the right direction? Thanks!
web-applications servlets jetty file-permissions embedded-jetty
user981
source share