Hi!
"Jeffery, Myles" wrote:
> Getting slightly off the EJB topic here: but wouldn't the applet have access
> to only www.helliscool.com's CLASSPATH since that is where it originates
> from?
The bytecodes are from helliscool.com, but the Java applet is loaded and
executed by the clients browser, or rather by the JVM plugin in the
browser. Thus the classloader of the client is the relevant here (hey,
the server might not even have Java installed).
> Why would it have access to your system's CLASSPATH?
Because that's where it is executing. And the applet classloader has the
system classloader as parent, and the system classloader accesses stuff
from CLASSPATH (such as all the core JRE classes, e.g.
java.lang.String).
> Surely a minor
> typo in your system settings could accidently set your CLASSPATH to c:\
> thereby giving the applet total access to your computer?
Exactly, but the whole point of my previous message was that even if the
classloader does have lots of files that should not be accessible from
the applet, can the applet access them?
Obviusly not, or otherwise there would be cries of despair concerning
the suckiness of the Java security model.
/Rickard
>
> > -----Original Message-----
> > From: Rickard Öberg [SMTP:[EMAIL PROTECTED]]
> > Sent: 09 January 2001 07:56
> > To: [EMAIL PROTECTED]
> > Subject: Re: loading a file from the ejb-jar file
> >
> > Hi!
> >
> > Johan Eltes wrote:
> > > My interpretation of the restriction on file io, is that this code is
> > fine. It uses a classloader. The container implementor is in charge of
> > class loaders, but not of the java.io.File class.
> > >
> > > But which of the priests has the best interpretation of the holy spec?
> >
> > Thus speaketh da holy dude:
> > Consider the option that the code would work simply because it uses a
> > classloader to open the file.
> > Thus, any Java program that uses a classloader to open a file would
> > work.
> > A classloader can access any files in classpath through the
> > getResource(AsStream) method(s).
> > Consider the possibility that you are a Java developer.
> > Consider the possibility that you are working on a top-secret project
> > that requires certain classified files to be in your developer
> > classpath.
> > Consider the possibility that you are using the CLASSPATH environment
> > variable to add these files to the classpath.
> > Consider the possibility that you are surfing on your lunchbreak to your
> > favourite site www.helliscool.com.
> > Consider the possibility that this particular site has a particularly
> > Evil Java applet, which shows the number of visitors (by showing a
> > static GIF with the number "666")
> > The particularly Evil applet not only shows a GIF image, it also
> > executes the code "InputStream classifiedFile =
> > getClass().getResourceAsStream("/password.txt");".
> > The Evil applet reads the contents of the (supposedly classified)
> > password file and sends it to helliscool.com by way of a HTTP Post
> > operation.
> >
> > The last sentence can obviously not happen since that would make Java
> > unsafe, and (as we all know) Java is safe.
> >
> > So, where is the error?
> >
> > Reading java/lang/ClassLoader.java and understanding the security
> > framework (=permissions) will give you the answer.
> >
> > Thus endeth the lesson :-)
> >
> > /Rickard
> >
> > >
> > > /Johan
> > >
> > > Den 8 Jan 2001 skrev Olivier Duhart:
> > >
> > > > I want to load the content of a file from my ejb jar file. I try this
> > > > piece of code :
> > > >
> > > > private void test() {
> > > > System.out.println("test()");
> > > > try {
> > > > java.io.InputStream oStream =
> > > > this.getClass().getResourceAsStream("dummy.txt");
> > > > int oRead = 0;
> > > > byte[] oBuffer = new byte[1024];
> > > > String oContent = "";
> > > > while (oRead != -1) {
> > > > oRead = oStream.read(oBuffer);
> > > > if (oRead > 0) {
> > > > oContent += new String(oBuffer,0,oRead);
> > > > }
> > > > }
> > > > oStream.close();
> > > > System.out.println("content = " + oContent);
> > > > }
> > > > catch(Exception e) {
> > > > e.printStackTrace();
> > > > }
> > > > }
> > > >
> > > > It works well (with JBoss) but my question is : Am I allowed to do
> > this
> > > > ?
> > > >
> > > > Thanks
> > > >
> > > > Olivier
> > > >
> > > > --
> > > > Olivier Duhart
> > > > Wokup! - Product Team
> > > > [EMAIL PROTECTED]
> > > > +33 299 844 412
> > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Olivier Duhart
> > > > Wokup! - Product Team
> > > > [EMAIL PROTECTED]
> > > > +33 299 844 412
> > > >
> > > >
> > ==========================================================================
> > =
> > > > To unsubscribe, send email to [EMAIL PROTECTED] and include in the
> > body
> > > > of the message "signoff EJB-INTEREST". For general help, send email
> > to
> > > > [EMAIL PROTECTED] and include in the body of the message "help".
> > > >
> > >
> > >
> > ==========================================================================
> > =
> > > To unsubscribe, send email to [EMAIL PROTECTED] and include in the
> > body
> > > of the message "signoff EJB-INTEREST". For general help, send email to
> > > [EMAIL PROTECTED] and include in the body of the message "help".
> >
> > --
> > Rickard Öberg
> >
> > Email: [EMAIL PROTECTED]
> >
> > ==========================================================================
> > =
> > To unsubscribe, send email to [EMAIL PROTECTED] and include in the
> > body
> > of the message "signoff EJB-INTEREST". For general help, send email to
> > [EMAIL PROTECTED] and include in the body of the message "help".
>
> ===========================================================================
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
> of the message "signoff EJB-INTEREST". For general help, send email to
> [EMAIL PROTECTED] and include in the body of the message "help".
--
Rickard Öberg
Email: [EMAIL PROTECTED]
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
