Re: security and a servlet using core catalina classes

Wed, 09 May 2001 19:28:25 -0700 

Ok, this is possible to bypass the "security"!

Catalina conforms to the behavior in the Servlet 2.3 PFD2 Specification (Section 
9.7.2) but does not comply with its "recommended" behaviour.

Here is the code (not clean, sorry about that) for the doGet method of an regular 
servlet:

        response.setContentType("text/plain");
        PrintWriter writer = response.getWriter();

        Object theWrapper = (Object) this.getServletConfig();
        try {
            Method method = theWrapper.getClass().getMethod("getParent", new Class[] 
{});

            Object theContext = method.invoke(theWrapper, new Object[] {});
            method = theContext.getClass().getMethod("getParent", new Class[] {});
            Object theDeployer = method.invoke(theContext, new Object[] {});
            method = theDeployer.getClass().getMethod("findDeployedApps", new Class[] 
{});
            Object deployedApps = method.invoke(theDeployer, new Object[] {});
            String[] apps = (String[]) deployedApps;
            writer.println("detected apps:");
            for (int i=0; i<apps.length;i++) {
                writer.println(apps[i]);
            }
        } catch (Exception e) {
            e.printStackTrace();
            writer.println("An exception occured when invoking the method, 
"+e.getMessage());
        }
        writer.flush();
        writer.close();


My project is to build a servlet inspector servlet for Tomcat in order to have a 
Dynamo DCC like feature.

Regards,

Fabien


"Craig R. McClanahan" <[EMAIL PROTECTED]> writes:

> On 9 May 2001, Fabien Le Floc'h wrote:
> 
> > Thanks for your answer,
> > 
> > I decided to put my servlet in the catalina hierarchy (on my personal
> > computer). When it will be more advanced, I could even propose it as a
> > contribution to catalina.
> > 
> 
> Any hints on what it actually does?
> 
> > But I think would have been possible to bypass the "security" by just
> > using reflection to call the core methods.
> > 
> 
> Doing this would mean making it possible for an end user servlet to do
> nasty things like shut down the server, or snoop the sessions of some
> other web app.  Once you have access to the server's internals, there is
> basically no method you would not be able to call.
> 
> In addition, the current Catalina architecture conforms to a suggested
> behavior in the Servlet 2.3 PFD2 Specification (Section 9.7.2):
> 
>     "The classloader that a container uses to load a servlet in
>     a WAR must not allow the WAR to override J2SE or Java servlet
>     API classes.  It is futher recommended that the loader not
>     allow servlets in the WAR access to the web container's
>     implementation classes.
> 
> > Regards,
> > 
> > Fabien
> > 
> 
> Craig

Reply via email to