Hi Steffen,


You can put the following code onto any JSP page and it will show you the
contents of the /etc/passwd file (or replace below with location of any
file).  I may have some glaring config issue with Resin, and I hope that I


Help, Help, Help.


<[EMAIL PROTECTED] import="java.io.*" %>



            String _filecontent = "";

            String _resultmsg = "";

            File file = new File("/etc/passwd");


                FileInputStream fis = null;

                BufferedInputStream bis = null;

                DataInputStream dis = null;


                try {

                  fis = new FileInputStream(file);


                  // Here BufferedInputStream is added for fast reading.

                  bis = new BufferedInputStream(fis);

                  dis = new DataInputStream(bis);


                  // dis.available() returns 0 if the file does not have
more lines.

                  while (dis.available() != 0) {


                  // this statement reads the line from the file and print
it to

                    // the console.

                   _filecontent += (dis.readLine());



                  // dispose all the resources after using them.





                } catch (FileNotFoundException e) {

                        _resultmsg += e.toString();

                } catch (IOException e) {

                        _resultmsg += e.toString();







[mailto:[EMAIL PROTECTED] On Behalf Of Steffen Busch
Sent: Wednesday, December 26, 2007 2:33 PM
To: General Discussion for the Resin application server
Subject: Re: [Resin-interest] Jail/ Chroot / Security


What do you mean by "With java the host can still view any file on the
server" ?

Usually, you've got web-app(s) in virtual hosts serving content and/or
providing an application. If you say "view any file", does this mean you
have a directory listing where the files of the underlying filesystem are
shown and are readable by the client? Beside the fact, that you can disable
the directory-listing, you can restrict what a web-app can "do". You might
want to look at 


and http://www.caucho.com/resin-3.1/doc/securitymanager.xtp

if you're talking about an ISP Environment.





2007/12/26, Mktg. Incorporate Fast <[EMAIL PROTECTED]>: 

I am looking for a way to prevent virtual hosts accessing any files outside
of their host directory.


I have tried to set the root directory but it does not work.  With java the
host can still view any file on the server.


Resin appears to have huge security flaws in this area.  Please, please,
please help.

resin-interest mailing list


resin-interest mailing list

Reply via email to