2

we are using a java library inside a web application which is hosted in apache server.ReadConfFile method in library returns file not found error.The method is as follows

public byte[] ReadConfFile()
{
    try
    {
        File file = new File("/home/product/api/conf.txt");
        if(!file.exists())
            return "file not found".getBytes();
        byte[] buf = new byte[(int) file.length()];

        FileInputStream fis = new FileInputStream(file);
        fis.read(buf);
        return buf;
    } catch (IOException e)
    {
        e.printStackTrace();
        return null;
    }
}

Is local file system access from web application allowed?. If yes , then is there any access permission that has to be set?

Improve this question
2
  • I presume by apache you mean apache tomcat? What user does it run as? Does that user has read permissions on the location you have specified? Do you run with a SecurityManager? Commented Nov 14, 2013 at 7:51
  • Do you want to access the file system of the tomcat server or do you want to access the user's file system? The latter one is not possible (I think). Commented Nov 14, 2013 at 7:54

1 Answer 1

Reset to default
9

To quickly answer your question: You can access the file system from a web application, but you would have to check your application server / web container on how to configure the SecurityManager (if one is installed).

However, your method of reading the file has severe issues which you should adress:

  1. Do not check if(!file.exists()) better check if(!file.isFile()). The first check also returns true if the file is a directory.

  2. If there is not a file, better not return a String, throw an Exception, or load some default Configuration or do something else which is useful.

  3. Your logic for reading the file is very bad. If the read function returns a different amount of available bytes (maybe the read is chunked), you'll get a corrupt result.

  4. You do not close the stream in a finally block, (or use a try with resources if you are using Java 7).

  5. The exception handling is also not good. Printing the stacktrace is not good, logging it would be better. Handling the exception would be best (throw an exception, or switch to some default configuration, like when the file was not there).

Edit: If you want to access the client's file system, then this cannot be done from your web application running on the server directly. This of course would have to be done from code running on the client and you would have to fill in more details on what is running on the client side, since a "standard" web application would have Javascript and (X)HTML on the client, not java.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Very, very sound advice. +1
Thanks for your answer Matthias.I will check for any configurations to be made with security manager.This is a sample method that i wrote for the issue and it's not going to be with production code(where we will close all streams and log exceptions). Your answer resembles your perfection and its great.
Good Answer. Could you evaluate "3." a little bit more and propose an alternative implementation?
Yes, the code snippet asssumed that the buffer is fully read by the read function and this assumption is not valid. The read function returns how many bytes of the buffer are filled. Especially big files might not be read in one go.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.