Hi!

I implemented a simple DownloadFileServlet which works fine AS LONG AS JBoss security manager is turned off. As soon as it is turned on in web.xml via <security-constraint> etc.., downloading a file does not work anymore. The error message "the file could not be found" shows up. The server log does unfortunately show nothing conspicious.

How can I tell the JBoss Security Manager to allow downloading the files; possibly limit the permission to a certain server directory?

Any help is highly appreciated.

Thanks,
- Markus

I use JBoss v.3.23.

the (relevant) download servlet code: (i don't think there is an error in there, because downloading works fine as long as security manager is turned off in web.xml)


String filename=req.getParameter("downloadfileName");

if (filename!=null && filename.trim().length()!=0) {
logger.debug("setting mimetype");
mimetype = context.getMimeType( filename );
downloadFile = new File(filename);
if (!downloadFile.exists()) {
logger.error("ERROR @ doPost(): File " + filename + " does not exist.");
}

URL url = (new File(filename)).toURL();
logger.debug("URL=" + url.getFile());
if (url != null) {
URLConnection con = url.openConnection();

resp.setContentType( (mimetype != null) ? mimetype : "application/octet-stream" );
resp.setContentLength( (int)downloadFile.length() );
resp.setHeader("Content-Disposition", "attachment; filename=" + getFileName(url));

ServletOutputStream out = resp.getOutputStream();
BufferedInputStream in = new BufferedInputStream(con.getInputStream());
byte[] buf = new byte[5120];

int len;
while ((len = in.read(buf)) > 0) {
out.write(buf);
}
in.close();
out.flush();
out.close();
} else {
logger.error("URL IS NULL");
}

} else {
logger.error("ERROR: filename != null && filename.trim().length() != 0");
}

private String getFileName(URL url) {
String path = url.getFile();
String result = path.substring(path.lastIndexOf('/')+1);
logger.debug("getFileName(" + url + ") => " + result);
return result;
}