Hi!
Johan Eltes wrote:
> My interpretation of the restriction on file io, is that this code is fine. It uses
>a classloader. The container implementor is in charge of class loaders, but not of
>the java.io.File class.
>
> But which of the priests has the best interpretation of the holy spec?
Thus speaketh da holy dude:
Consider the option that the code would work simply because it uses a
classloader to open the file.
Thus, any Java program that uses a classloader to open a file would
work.
A classloader can access any files in classpath through the
getResource(AsStream) method(s).
Consider the possibility that you are a Java developer.
Consider the possibility that you are working on a top-secret project
that requires certain classified files to be in your developer
classpath.
Consider the possibility that you are using the CLASSPATH environment
variable to add these files to the classpath.
Consider the possibility that you are surfing on your lunchbreak to your
favourite site www.helliscool.com.
Consider the possibility that this particular site has a particularly
Evil Java applet, which shows the number of visitors (by showing a
static GIF with the number "666")
The particularly Evil applet not only shows a GIF image, it also
executes the code "InputStream classifiedFile =
getClass().getResourceAsStream("/password.txt");".
The Evil applet reads the contents of the (supposedly classified)
password file and sends it to helliscool.com by way of a HTTP Post
operation.
The last sentence can obviously not happen since that would make Java
unsafe, and (as we all know) Java is safe.
So, where is the error?
Reading java/lang/ClassLoader.java and understanding the security
framework (=permissions) will give you the answer.
Thus endeth the lesson :-)
/Rickard
>
> /Johan
>
> Den 8 Jan 2001 skrev Olivier Duhart:
>
> > I want to load the content of a file from my ejb jar file. I try this
> > piece of code :
> >
> > private void test() {
> > System.out.println("test()");
> > try {
> > java.io.InputStream oStream =
> > this.getClass().getResourceAsStream("dummy.txt");
> > int oRead = 0;
> > byte[] oBuffer = new byte[1024];
> > String oContent = "";
> > while (oRead != -1) {
> > oRead = oStream.read(oBuffer);
> > if (oRead > 0) {
> > oContent += new String(oBuffer,0,oRead);
> > }
> > }
> > oStream.close();
> > System.out.println("content = " + oContent);
> > }
> > catch(Exception e) {
> > e.printStackTrace();
> > }
> > }
> >
> > It works well (with JBoss) but my question is : Am I allowed to do this
> > ?
> >
> > Thanks
> >
> > Olivier
> >
> > --
> > Olivier Duhart
> > Wokup! - Product Team
> > [EMAIL PROTECTED]
> > +33 299 844 412
> >
> >
> >
> >
> > --
> > Olivier Duhart
> > Wokup! - Product Team
> > [EMAIL PROTECTED]
> > +33 299 844 412
> >
> > ===========================================================================
> > To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
> > of the message "signoff EJB-INTEREST". For general help, send email to
> > [EMAIL PROTECTED] and include in the body of the message "help".
> >
>
> ===========================================================================
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
> of the message "signoff EJB-INTEREST". For general help, send email to
> [EMAIL PROTECTED] and include in the body of the message "help".
--
Rickard Öberg
Email: [EMAIL PROTECTED]
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
