tomcat.policy limitation?

Thu, 19 Jul 2001 23:51:42 -0700 

I am trying to grant a servlet in the
"/usr/tomcat/jakarta-tomcat-3.2.2/webapps/ROOT/WEB-INF/classes/joe/"
directory write permissions to the "/test.txt" file.

//---------------------------------------------------------------------------

The following code snippet from my tomcat.policy file seems to work
correctly;
I can write to the "/test.txt" file just fine with my servlet.

grant codeBase "file:/usr/tomcat/jakarta-tomcat-3.2.2/webapps/ROOT/-" {
  permission java.io.FilePermission "/test.txt", "write";
};

//---------------------------------------------------------------------------

BUT, the following code snippet does NOT work correctly.

grant codeBase
"file:/usr/tomcat/jakarta-tomcat-3.2.2/webapps/ROOT/WEB-INF/-" {
  permission java.io.FilePermission "/test.txt", "write";
};

I get the following error message :-((

Error: 500
Location: /servlet/joe.joe1
Internal Servlet Error:
java.security.AccessControlException: access denied
(java.io.FilePermission /test.txt write)
        at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:272)
        at
java.security.AccessController.checkPermission(AccessController.java:399)
        at
java.lang.SecurityManager.checkPermission(SecurityManager.java:545)
        at
java.lang.SecurityManager.checkWrite(SecurityManager.java:978)
        at java.io.FileOutputStream.(FileOutputStream.java:96)
        at java.io.FileWriter.(FileWriter.java:52)
        at joe.joe1.doGet(joe1.java:64)
...
etc.
//---------------------------------------------------------------------------

What the heck?!?!

Anyone have any ideas for me to try?

I want to create a bunch of user/programmer subdirectories like

"/usr/tomcat/jakarta-tomcat-3.2.2/webapps/ROOT/WEB-INF/classes/joe/"
"/usr/tomcat/jakarta-tomcat-3.2.2/webapps/ROOT/WEB-INF/classes/tom/"
"/usr/tomcat/jakarta-tomcat-3.2.2/webapps/ROOT/WEB-INF/classes/henry/"
etc.

so that I can grant all servlets in these directories and subdirectories
read/write access to their own separate directory structure so they
won't be able to write over anyone elses files, including the "system"
files, of course.

This is a wierd one.

Thanks for any help!

Joe

Reply via email to