Skip to Main Content
Forums

Java EE (Java Enterprise Edition) General Discussion

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

getRealPath() security issues?

843841May 5 2005 — edited May 6 2005
Hi,
What are the security concerns using ServletContext.getRealPath() to read some file on the server, mostly some file under my web application's root directory (not server's root)?

One situation where I need to do this is, when I am setting up Log4J configuration file,

String log4jConfigFilePath = applicationContext.getRealPath("/") + System.getProperty("file.separator") + "WEB-INF" +
System.getProperty("file.separator") + log4jConfigFileName;

DOMConfigurator.configure(log4jConfigFilePath);

In the same lines I should be able to read any file located on server, am I right?

In that case what are the security concerns?
Is it suggestable to read files on server in this way?

Whenever possible I use ServletContext's getResourceAsStream.....but in above Log4J configuration, I dont know if I can do that....

Please provide some advice.....

Thanks,
Rahul.
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Jun 3 2005
Added on May 5 2005
#java-servlet
3 comments
298 views