I need to limit file permissions for "plug-in" WAR files containing servlets in an embedded Jetty. To test the file permissions, I created a WAR containing this servlet that tries to write to a file outside of the webapps folder:
public class Test extends HttpServlet
{
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException
{
try
{
FileWriter outFile = new FileWriter("C:\\temp\\test.txt");
PrintWriter out = new PrintWriter(outFile);
out.println("This is line 1");
out.println("This is line 2");
out.close();
response.getWriter().print("File created");
}
catch(Exception e)
{
response.getWriter().print(e.getMessage());
e.printStackTrace();
}
}
}
The WAR containing this servlet is then added to the embedded Jetty handlers with a configured file permission like this:
jetty = new Server(serverPort);
handlers = new HandlerList();
...
(adding standard Web Apps here)
...
WebAppContext plugin = new WebAppContext();
//Create file permissions policy
PermissionCollection pcol = new Permissions();
FilePermission fp = new FilePermission(path_to_war, "read");
pcol.add(fp);
plugin.setPermissions(pcol);
plugin.setContextPath("/plugins/plugin_name");
plugin.setWar(path_to_war);
plugin.setCopyWebDir(false);
plugin.setCopyWebInf(false);
plugin.setExtractWAR(false);
handlers.addHandler(plugin);
jetty.setHandler(handlers);
jetty.start();
The servlet is however still capable of creating and writing to the test output file - I'm unsure as to why...I've searched for sample code implementing specific permissions for individual web apps, but found very little information on this topic. My best guess is that the WebAppContext "inherits" the File Permission policy from the embedding application.
Can anyone point me in the right direction? Thank you!
