Hello -- I am trying to get a new Tomcat system configured for my school's CS department. We want to use version 4 (I am working with 4.0.2).
We need a system that lets students keep their files private, to make sure that nobody cheats by stealing somebody's servlets or jsp. I am testing it out to make sure that student1 cannot access the files of student2. Also I should note that students will not be logging in to this box so standard file permissions will not cut it. Students will upload all files through a script utility, so all files will be owned bt that user. The problem is this: with a more-or-less default installation of Tomcat using the security manager, in a jsp:include you can access outside of your context using ../../../ . Note that in other forms of reading the files, the security manager correctly prohibits access (both in a jsp:include giving the real path, and in standard programmatic file opening with real and ../ paths). It's just in the case of the include with relative path that it allows access to others' files. Here's a sample line of a jsp that should generate an error, but doesn't. The contexts are foo1/ and foo2/, they are defined in separate context tags. This line is from a file in foo1/. <jsp:include page="../../../foo2/jsp/include/junk.txt"/> That line allows the script in foo1 to access the file in foo2/. The same path in a BufferedReader causes an error. Somebody please help me. Is this a configuration error, a bug, or am I just being thick-headed about it??? Thanks for your time. --==pat schaider==-- [EMAIL PROTECTED] -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>