hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Clifford (JIRA)" <j...@apache.org>
Subject [jira] Commented: (HTTPCLIENT-876) Calling httpClient.execute(post) on a shared server causes security error (WRITE not allowed to protected area on disk)
Date Thu, 01 Oct 2009 17:08:23 GMT

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-876?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12761271#action_12761271
] 

Clifford commented on HTTPCLIENT-876:
-------------------------------------

Thanks Ortwin, I thought of that also, however the 'workdir' setting is in 'server.xml' in
the (tomcat-home)/conf directory, which I don't have access to.  On a shared server that directory
is shared amongst all users, so can't be allowed to be changed by users.

But I will make another request from GoDaddy support, for them to set that parameter to /temp,
which is one of the only directories on their shared server that is wide open to every process/user.
 I'll let you all know what happens.

p.s. On my own Tomcat development server at my house, this all works perfectly (since I don't
secure any directories).  So obviously a dedicated server (or cloud) would solve the problem.
 But again, that increases my monthly cost by 10x, and I have multiple GoDaddy accounts (not
just one).

> Calling httpClient.execute(post) on a shared server causes security error (WRITE not
allowed to protected area on disk)
> -----------------------------------------------------------------------------------------------------------------------
>
>                 Key: HTTPCLIENT-876
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-876
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient
>    Affects Versions: 4.0 Final
>         Environment: Java 5.0, Tomcat
>            Reporter: Clifford
>   Original Estimate: 4h
>  Remaining Estimate: 4h
>
> I run my JSP modules on a shared server at GoDaddy.com, one of the largest hosting companies
in the USA.  They have strict security on the servers which disallows writing to any disk
files unless they are in the /temp directory.
>  
> When I first tried to execute a module I wrote using HttpClient, I got a security write-not-allowed
error.  I looked at the stack trace and found out that org.apache.http.impl.client.DefaultHttpClient.java
(at source line 197) calls org.apache.http.util.VersionInfo method loadVersionInfo, and that
class (at source line 248) tries to do a FILE WRITE after not finding a property file containing
the version#.  That WRITE is disallowed by my hosting, thus causing my HttpClient call to
fail.  I can provide more details if you like.
>  
> I worked around the problem by commenting out the call to loadVersionInfo and recompiling
DefaultHttpClient, but MANY MANY programmers will run into this issue, so I would label it
an urgent bug that needs to be fixed.  Suggestions for the fix could be 1) hard-code the version
in a new final static variable of DefaultHttpClient, or 2) Write the Properties file containing
the HttpClient version# to a directory within /temp.
> The stack trace (transcribed from a printout) is:
> java.security.AccessControlException: access denied (java.io.FilePermission /web/tomcat/work/hosting/dir.dotgreen.org/.../loader/META-INF
write) at ... 5 levels of java.security.* then
> java.io.File.mkdir
> WebappClassLoader.findResourceInternal
> WebappClassLoader.findResource
> WebappClassLoader.getResourceAsStream
> VersionInfo.loadVersionInfo (line 244)
> DefaultHttpClient.createHttpParams (line 197)
> AbstractHttpClient.getParams (line 293)
> DefaultHttpClient.createClient (line 2)
> AbstractHttpClient.getConnectionManager (line 312)
> DefaultHttpClient.createHttpContext (line 254)
> AbstractHttpClient.execute (line 618)
> AbstractHttpClient.execute (line 576)
> AbstractHttpClient.execute (line 554)
> then a dozen JSP/catalina locations that are irrelevant

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message