Getting slightly off the EJB topic here: but wouldn't the applet have access
to only www.helliscool.com's CLASSPATH since that is where it originates
from? Why would it have access to your system's CLASSPATH? Surely a minor
typo in your system settings could accidently set your CLASSPATH to c:\
thereby giving the applet total access to your computer?
> -----Original Message-----
> From: Rickard Öberg [SMTP:[EMAIL PROTECTED]]
> Sent: 09 January 2001 07:56
> To: [EMAIL PROTECTED]
> Subject: Re: loading a file from the ejb-jar file
>
> Hi!
>
> Johan Eltes wrote:
> > My interpretation of the restriction on file io, is that this code is
> fine. It uses a classloader. The container implementor is in charge of
> class loaders, but not of the java.io.File class.
> >
> > But which of the priests has the best interpretation of the holy spec?
>
> Thus speaketh da holy dude:
> Consider the option that the code would work simply because it uses a
> classloader to open the file.
> Thus, any Java program that uses a classloader to open a file would
> work.
> A classloader can access any files in classpath through the
> getResource(AsStream) method(s).
> Consider the possibility that you are a Java developer.
> Consider the possibility that you are working on a top-secret project
> that requires certain classified files to be in your developer
> classpath.
> Consider the possibility that you are using the CLASSPATH environment
> variable to add these files to the classpath.
> Consider the possibility that you are surfing on your lunchbreak to your
> favourite site www.helliscool.com.
> Consider the possibility that this particular site has a particularly
> Evil Java applet, which shows the number of visitors (by showing a
> static GIF with the number "666")
> The particularly Evil applet not only shows a GIF image, it also
> executes the code "InputStream classifiedFile =
> getClass().getResourceAsStream("/password.txt");".
> The Evil applet reads the contents of the (supposedly classified)
> password file and sends it to helliscool.com by way of a HTTP Post
> operation.
>
> The last sentence can obviously not happen since that would make Java
> unsafe, and (as we all know) Java is safe.
>
> So, where is the error?
>
> Reading java/lang/ClassLoader.java and understanding the security
> framework (=permissions) will give you the answer.
>
> Thus endeth the lesson :-)
>
> /Rickard
>
> >
> > /Johan
> >
> > Den 8 Jan 2001 skrev Olivier Duhart:
> >
> > > I want to load the content of a file from my ejb jar file. I try this
> > > piece of code :
> > >
> > > private void test() {
> > > System.out.println("test()");
> > > try {
> > > java.io.InputStream oStream =
> > > this.getClass().getResourceAsStream("dummy.txt");
> > > int oRead = 0;
> > > byte[] oBuffer = new byte[1024];
> > > String oContent = "";
> > > while (oRead != -1) {
> > > oRead = oStream.read(oBuffer);
> > > if (oRead > 0) {
> > > oContent += new String(oBuffer,0,oRead);
> > > }
> > > }
> > > oStream.close();
> > > System.out.println("content = " + oContent);
> > > }
> > > catch(Exception e) {
> > > e.printStackTrace();
> > > }
> > > }
> > >
> > > It works well (with JBoss) but my question is : Am I allowed to do
> this
> > > ?
> > >
> > > Thanks
> > >
> > > Olivier
> > >
> > > --
> > > Olivier Duhart
> > > Wokup! - Product Team
> > > [EMAIL PROTECTED]
> > > +33 299 844 412
> > >
> > >
> > >
> > >
> > > --
> > > Olivier Duhart
> > > Wokup! - Product Team
> > > [EMAIL PROTECTED]
> > > +33 299 844 412
> > >
> > >
> ==========================================================================
> =
> > > To unsubscribe, send email to [EMAIL PROTECTED] and include in the
> body
> > > of the message "signoff EJB-INTEREST". For general help, send email
> to
> > > [EMAIL PROTECTED] and include in the body of the message "help".
> > >
> >
> >
> ==========================================================================
> =
> > To unsubscribe, send email to [EMAIL PROTECTED] and include in the
> body
> > of the message "signoff EJB-INTEREST". For general help, send email to
> > [EMAIL PROTECTED] and include in the body of the message "help".
>
> --
> Rickard Öberg
>
> Email: [EMAIL PROTECTED]
>
> ==========================================================================
> =
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the
> body
> of the message "signoff EJB-INTEREST". For general help, send email to
> [EMAIL PROTECTED] and include in the body of the message "help".
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
