• GET Requests:
  • The URI can include almost anything (including things like ..)
• The Problem:
  • The server will GET any file in the file system
• Fixing the Problem:
  • Use Java's access control system

javaexamples/http/v2s/HttpServer.java (Fragment: main)

    /**
     * The entry point of the application
     *
     * @param args    The command line arguments
     */
    public static void main(String[] args)
    {
       BufferedReader        in;       
       HttpServer            server;
       Handler               logHandler;       

       // Set the additional security policy to use
       //
       // Alternatively, the policy can be set at runtime using:
       //
       // java -Djava.security.manager 
       //      -Djava.security.policy=http.policy HttpServer
       //
       // (I think == will override the default policies rather 
       // than add to them)
       System.setProperty("java.security.policy", "http.policy");

       // Construct a SecurityManager and instruct Java to use it
       // (which will cause the policy file to be read)
       System.setSecurityManager(new SecurityManager());
       

       // Setup the logging system
       logger     = Logger.getLogger("edu.jmu.cs");
       try
       {
          logHandler = new FileHandler("log.txt");
          logHandler.setFormatter(new SimpleFormatter());
          logger.addHandler(logHandler);          
          logger.setLevel(Level.parse(args[0]));
          logger.setUseParentHandlers(false);          
       }
       catch (Exception e)
       {
          // The FileHandler couldn't be constructed or the Level was bad
          // so use the default ConsoleHandler (at the default Level.INFO)
          logger.setUseParentHandlers(true);          
       }

       server = null;          
       try
       {
          in = new BufferedReader(new InputStreamReader(System.in));
       
          // Construct and start the server
          server = new HttpServer();
          server.start();

          System.out.println("Press [Enter] to stop the server...");

          // Block until the user presses [Enter]
          in.readLine();
       }
       catch (IOException ioe)
       {
          System.out.println("  Stopping because of an IOException");
       }

       // Stop the server
       if (server != null) server.stop();
    }
        

javaexamples/http/v2s/HttpConnectionHandler.java (Fragment: doGet)

    /**
     * Handle the GET request
     *
     * @param request   Contents of the request
     * @param response  Used to generate the response
     */
    private void doGet(HttpRequest request, HttpResponse response)
    {
       byte[]             content;
       FileInputStream    fis;
       int                length;
       SecurityManager    security;       
       String             uri;

       uri = "../public_html"+request.getRequestURI();

       // Get the SecurityManager
       security = System.getSecurityManager();

       try 
       {
          // Check for read permission before doing anything
          if (security != null) security.checkRead(uri);
          
          // Create a stream for the file
          // and determine its length
          fis = new FileInputStream(uri);
          length = fis.available();
          response.setStatus(HttpResponse.SC_OK);
          
          // Set the content type
          response.setContentType(mimeTyper.getContentTypeFor(uri));
          
          // Read the file
          content = new byte[length];
          fis.read(content);
          
          // Set the payload
          response.setContent(content);          
          
          //Write the response
          response.write(out);
          
          // Close the file
          fis.close();
       } 
       catch (SecurityException se)
       {
          response.sendError(HttpResponse.SC_FORBIDDEN, out);
       }
       catch (IOException ioe) 
       {
          response.sendError(HttpResponse.SC_NOT_FOUND, out);
       }
    }