0 Replies Latest reply on May 11, 2004 12:57 PM by mwallner

    Download Servlet does not work with activated security

    mwallner Newbie


      I implemented a simple DownloadFileServlet which works fine AS LONG AS JBoss security manager is turned off. As soon as it is turned on in web.xml via <security-constraint> etc.., downloading a file does not work anymore. The error message "the file could not be found" shows up. The server log does unfortunately show nothing conspicious.

      How can I tell the JBoss Security Manager to allow downloading the files; possibly limit the permission to a certain server directory?

      Any help is highly appreciated.

      - Markus

      I use JBoss v.3.23.

      the (relevant) download servlet code: (i don't think there is an error in there, because downloading works fine as long as security manager is turned off in web.xml)

      String filename=req.getParameter("downloadfileName");

      if (filename!=null && filename.trim().length()!=0) {
      logger.debug("setting mimetype");
      mimetype = context.getMimeType( filename );
      downloadFile = new File(filename);
      if (!downloadFile.exists()) {
      logger.error("ERROR @ doPost(): File " + filename + " does not exist.");

      URL url = (new File(filename)).toURL();
      logger.debug("URL=" + url.getFile());
      if (url != null) {
      URLConnection con = url.openConnection();

      resp.setContentType( (mimetype != null) ? mimetype : "application/octet-stream" );
      resp.setContentLength( (int)downloadFile.length() );
      resp.setHeader("Content-Disposition", "attachment; filename=" + getFileName(url));

      ServletOutputStream out = resp.getOutputStream();
      BufferedInputStream in = new BufferedInputStream(con.getInputStream());
      byte[] buf = new byte[5120];

      int len;
      while ((len = in.read(buf)) > 0) {
      } else {
      logger.error("URL IS NULL");

      } else {
      logger.error("ERROR: filename != null && filename.trim().length() != 0");

      private String getFileName(URL url) {
      String path = url.getFile();
      String result = path.substring(path.lastIndexOf('/')+1);
      logger.debug("getFileName(" + url + ") => " + result);
      return result;