J2EE Round Two

Java Web Server Class Client Thread Class

You now have the beginnings of a Web server written in Java. I’m surprised at how quick and easy it was to write a server application in the language. This example comes from Java in a Nutshell, Fifth Edition and takes up only a single page.

Interestingly enough, the W3C has their own Web server which is also written in Java. In this O’Reilly implementation, ClientThread is just a simple class that takes the HTTP request that was sent by the client and returns it to them in a response. More security would need to be implemented before even considering processing requests for files from clients.

One example by John@turtlemeat.com openly admits this fact in the Java source code.

try { //NOTE that there are several security consideration when passing //the untrusted string "path" to FileInputStream. //You can access all files the current user has read access to!!! //current user is the user running the javaprogram. //you can do this by passing "../" in the url or specify absoulute path //or change drive (win) //try to open the file, requestedfile = new FileInputStream(path); }

I plan on writing a class that will handle URI in a secure fashion in the coming days. I’m slightly disappointed in the fact that John’s example put a whole block of text about the dangers of path traversal and had no defensive measures in place.