For a company internal webapp I need a way to access the full path of files on our internal fileserver that the user drag n drops on a dropzone on the website. As the fileserver is mounted in a similar manner on the webserver the path will point to the same file on its side and I can further process the files.
As that is not possible with plain HTML/Java-Script because of security reasons I did some research and it seems, that one viable way to accomplish this would be to embed a java-applet in the HTML code of the website. However .. as this would be my first encounter with java I'd like to confirm if that is actually possible before starting out.
Or alternatively another way to accomplish this task.
Related
Task: Copy Folder and contents from one vdi to another vdi. This application is internally facing within the company.
Method:
In jsp have user browse for folder
The folder selection is in a text box, the folder path is passed into an action class
The folder path is placed into a teradata table
A script is called to query the table for the source path and target path (pre-determined) and make the copy
Due Dilligence: So far I have tried the <input type="file", which selects a file, not a folder. Also, the file path is not passed through due to security reasons. I have read other possible solutions but none work.
Question: Are sevlets a viable solution, and if so, how do I create one?
I'm going to go with no. There are several reasons for this.
A Java Enterprise Edition application (be it a Servlet or Java Server Page) is not supposed to access the file system directly.
It is inherently unsafe to expose internal infrastructure through an external website.
I think you need to break it up a bit more.
Save a list of shares the server has access to in a data store of some sort, like a new teradata table or for a quick proof of concept plain text file (if you're on Linux you can use the output of something like showmount -e localhost).
Let the user pick the src share from a combobox or something similar.
Continue from your step 2.
This gives you two immediately obviously advantages, which may or may not be relevant.
You can use the system without having access to the physical shares.
You can add metadata (like description or aliases).
Is it possible to upload a file in Play! framework only by giving a path in url?
For example I would like to call:
www.mywebsite.com/upload_PATH
It's for me quite important, because I would like to upload and process a lot of data. Selecting manually 1000 files is too much time consuming and I want to write a program which will make it for me :-) I'm using Play with Java.
If upload_PATH is a local file path on your system, it is not a good way to go.
You should write a Play action where you can upload a file, as it is done in this example.
Then, you should write a HTTP client (started by a main Java method) which go through your files and upload then calling the Play! action. You can use the httpclient Apache library for writing the client part.
As nico_ekito wrote www.mywebsite.com/upload_from_local_path won't work
In case of huge amount of files you can create temporary folder on the distant server and upload your files with FTP. Then in your app you'll need only action for post-upload processing, ie. it can check if file is valid and move it to calculated destination and register in database if required.
Other possibility is using some flash/ajax multi uploader for an example swfupload (don't know it, it's just first hit from the search engine). This approach will be better if you are going give the upload possibility to people who you don't want to give any FTP access.
Finally you can mix the solutions -> use uploader instead of FTP and later post-process new items remotely.
This was a question about testing file upload functionality using a local java server on Windows 7 platform. Since the question evolved with Marko's input, I have edited it, so that those who run into the same challenge do not waste time on evolution details and reach conclusions sooner.
The challenge was to direct uploaded file to a folder outside of the WAR structure and successfully read it from there. For example: upload an image into c:/tmp/ and then redirect to a confirmation page that displays the image <img src="c:/tmp/test.jpg" />. The upload worked but image would not be displayed. And based on Marko's input, this makes sense because browser sitting at localhost will refuse to load anything from local disk structure using c:. Maybe these are security considerations similar to those with file input control where we cannot set a default path...
The following tag will work in a locally created .html file but when pasted into a jsp, it won't work. And the difference is that browser uses localhost to get to the jsp.
<img src="c:/tmp/test.jpg" />
Solutions
I think that Marko's answer pretty much defines what needs to be done. While I didn't go with that approach, it clearly is the better way to do it and I will accept that as the answer. Thanks, Marko!
For those who don't want to bother installing a Web server and are willing to live with a bit of a hack, here's what I have done. Again, I didn't want to upload files into my WAR structure because I would then need to remember about clearing that folder before deploying to the server. But that upload folder still needs to be accessible, so I simply created another dummy project and put that upload folder under its WebContent. This works for the purposes of my local testing. The only nuisance is that after uploading a file, I need to refresh the dummy project's WebContent in Eclipse.
config.properties
#for uploading files
fileUploadDirectory=C:/javawork/modelsite/tmp/WebContent
#for building html links
publicFileServicePrefix=http://localhost:8080/tmp
<img src="http://localhost:8080/tmp/test.jpg" /> // this works - tmp is the name of my dummy project.
If you are citing literally the HTML that goes to the browser (the one that you access via "vieew source") then this has nothing to do with Java. The browser is the one who interprets these links. If they fail to load, the problem is in the browser/file system.
UPDATE
According to the results of your additional diagnostics, I conclude that the browser (sensibly!) refuses to load anything from your local disk if it is referenced from an HTML file coming from an internet URL, even when that URL is localhost.
UPDATE 2
(Deleted, irrelevant)
UPDATE 3
However you handle the files uploaded to the server, it's definitely not going to look like your solution -- the file is on the server's local filesystem, not client's. This sort of thing can be handled at the Apache HTTP server level -- reserve an URL section for static content and configure Apache with a base directory from which to serve the static content. Even if you run the server locally, on the same machine where you test it, you still need to go through the network interface.
Kind of hard to explain in one line but my problem is essentially like this:
I made a java applet that I want to run on a web page that I packaged into a .jar file. I'm able to get the applet working fine using the <applet> tag but the problem is, if the user views the page source, they will see:
<applet archive="directory/program.jar">
Assuming .jar files can be easily opened and all the class files decompiled, all the user would have to do is go to www.url.com/directory/program.jar to download my .jar and they would have all my source code :(
So I'm wondering if there is either a way to protect my code/jar from being decompiled (other than obfuscation) or to use some kind of server-side script to feed the contents of the .jar directly to the browser from a server-side location not publically visible.
Any help is appreciated.
This is fundamentally impossible.
Java applets run the client.
Anything that runs on the client can be disassembled and modified by a sufficiently advanced user.
You should move your sensitive logic to the server and invoke it using HTTP requests ( and remember that the user can use Fiddler).
While you're at it, you should probably replace your applet with HTML and Javascript.
Other than obfuscation or encryption, no--one way or the other, the browser will have access to the jar.
You might be able to create an applet that loads more functionality at runtime.
There is no effective way to block access to the source code of any page; for the page to be readable by browsers and search engines, the source code has to be accessible, and therefore can be viewed and/or copied. That's just how the web works. HTML is sent as a text document and interpreted client-side.
Disabling the right-click is little more than an annoyance, and it works sporadically in alternative browsers. Even if you succeed, the View Source option in the menu is always present. The viewer could also use a download tool such as Wget, or even get the page from the Google cache without visiting your site at all.
Edit: Oops! I misunderstood your question. You should follow #SLaks advice and "move your sensitive logic to the server and invoke ot using HTTP requests ( and remember that the user can use Fiddler)."
While quantum mechanics do rule the universe, they have less of a grip on your code than you might suspect. You cannot both deploy code to the client browser and not deploy code to the client browser. You have the option of doing one or the other.
You can prevent direct browsing to your .jar file by locating it beneath the WEB-INF directory in your WAR file. This will also prevent <applet archive="directory/program.jar"> from working.
Once the jar is beneath the WEB-INF directory you will need something to feed the resource to the client browser; the Spring resources servlet is good for this (If you are using Java and Spring). I feel confident that other such tools exist. With the Sprint resours servlet, your would deploy your applet with something like this: <applet archive="resource/program.jar".
If you write your own resource distributor, you can add security to make it harder to get the jar file; perhaps add a header to your requests like IRGud: <user_id here> and fail any request that does not have that header (or acceptable contents in the header).
I have developed a command-line (read: no GUI) Java application which crunches through numbers based on a given dataset and a series of parameters; and spits out a series of HTML files as resultant reports. These reports hold a large amount of data in tables, so in order to give the users a easy and quick overview of the results, I utilized the JUNG2 library and created a nice graph.
Here's where it gets interesting; since I would like the graph to be interactive it should be deployed after the application has run and files are generated, whenever the user wants to view the reports. I decided to go with an applet based deployment, however I am not too happy with the current setup due to the following reasons:
I want to make the software as simple to use as possible (my users won't be tech-savvy, and even tech-intimidated in most cases). I would really like to distribute one JAR only, which forced me to put the applet with everything else it needs in a package in the same JAR as the main application.
The applet and the main application need to communicate the results, so I create a xML-based report which is used to hold information. As long as the files are on a local machine and are not moved around it all works fine. Unfortunately I also need the files to be moved around. A user should be able to take the "results" folder to a USB stick, go anywhere plug the stick to another computer and be able to use the report as he/she likes.
For the time being the applets are implemented with the following html code:
<applet code="package.myapp.visualization.GraphApplet.class"
codebase="file:/home/user/myApp"
archive="myApp-0.2.6-r28.jar"
width="750" height="750">
<param name=input value="results/test_name/results.fxml">
</applet>
As you can see this applet will not work if the parent folder is moved to another location.
As far as I know I have a couple of alternatives:
a) Change codebase to point to an URL on our webserver where I could put the jar file. This however creates the problem with permissions, as the applet will not be able to read the results file. Alternative is to upload the results file to the server when the user wants to visualize the graph, although I am not sure if that's a good option due to server security and also if it could be made so that upload happens automatically without bothering the user.
b) I can use a relative path on the codebase attribute, but then the whole folder hierarchy needs to be intact upon copy. This could be a last resort, if I cant come up with a better way to do it.
c) change the deployment method (would like to avoid this alternative to not spend more time on the development phase)
Any ideas? Am I missing something? How could I tackle this problem?
Thanks,
I'm not sure I entirely understand your use-case, but from what I do understand, I would suggest this:
Dump the applet for an application launched using Java Web Start. Have the JNLP file declare a file association for the fxml file type. When the user double clicks an fxml file, it will be passed as an argument to the main(String[]) of the JWS application.
A sand-boxed JWS application can gain access to resources on the local file system using the JNLP API. Here is my demo. of the JNLP API file services.