Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2052
  • Last Modified:

URL Authentication

I have written a very simple servlet that takes the name of an image file in a certain directory, then outputs it to the page.
This directory is password protected using htaccess and the idea is to use an Authenticator to gain access to the files in that directory.

In doing this, I'm receiving an javax.imageio.IIOException
Here is the code I'm using...

public class ImgReader extends HttpServlet
{
      public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException
      {
            process(request, response);
      }
      
      public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException
      {
            process(request, response);
      }
      
      private void process(HttpServletRequest request, HttpServletResponse response) throws IOException
      {
            // Get the image parameter
            String img = request.getParameter("img");
            
            // Check to see if it's empty
            if (img == null || img.equals(""))
            {
                  return;
            }
            
            try
            {
                  Authenticator.setDefault(new DefaultAuthenticator());
            }
            catch (Exception e)
            {
                  e.printStackTrace(response.getWriter());
            }
            
            BufferedImage image = ImageIO.read(new URL("http://www.mydomain.com/images/personal/" + img)); // Exception is thrown here
            
            response.setContentType("image/jpeg");
            ImageIO.write(image, "jpeg", response.getOutputStream());
      }
      
      private class DefaultAuthenticator extends Authenticator
      {
            private final String user = "myusername";
            private final String pass = "mypassword";
            
            protected PasswordAuthentication getPasswordAuthentication()
            {                  
                  return new PasswordAuthentication(user, pass.toCharArray());
            }
      }
}

Here is the stack trace from the servlet when called using http://www.my-domain.com/servlet/com.wim.ImgReader?img=imgName.JPG

500 Servlet Exception

javax.imageio.IIOException: Can't get input stream from URL!
      at javax.imageio.ImageIO.read(ImageIO.java:1345)
      at com.wim.ImgReader.process(ImgReader.java:49)
      at com.wim.ImgReader.doGet(ImgReader.java:21)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:126)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:103)
      at com.caucho.server.http.FilterChainServlet.doFilter(FilterChainServlet.java:96)
      at com.caucho.server.http.Invocation.service(Invocation.java:315)
      at com.caucho.server.http.CacheInvocation.service(CacheInvocation.java:135)
      at com.caucho.server.http.RunnerRequest.handleRequest(RunnerRequest.java:346)
      at com.caucho.server.http.RunnerRequest.handleConnection(RunnerRequest.java:274)
      at com.caucho.server.TcpConnection.run(TcpConnection.java:139)
      at java.lang.Thread.run(Thread.java:534)
Caused by: java.io.IOException: Server returned HTTP response code: 401
for URL: http://www.my-domain.com/images/personal/imgName.JPG
      at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:791)
      at java.net.URL.openStream(URL.java:913)
      at javax.imageio.ImageIO.read(ImageIO.java:1343)
      ... 11 more

I have been using the correct file path and name as well as using the correct username and password for authentication.

Is there something I have done wrong?
Any suggestions would be greatly appreciated. :-)

Cheers

-OBCT
0
OBCT
Asked:
OBCT
  • 5
  • 5
1 Solution
 
CEHJCommented:
Is the authenticator actually being called?
0
 
OBCTAuthor Commented:
I am assuming so...
At http://javaalmanac.com/egs/java.net/Auth.html, it says that the getPasswordAuthentication() method is called whenever a password protected URL is accessed.
0
 
OBCTAuthor Commented:
By the way, I'm using Resin 2.1.13 if that makes any differenc.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
CEHJCommented:
>>I am assuming so...

Not a good idea ;-)
0
 
OBCTAuthor Commented:
Ahh ok, I took away all exception handling code (asside from that required for compilation) and received the following exception...

java.security.AccessControlException: access denied (java.net.NetPermission
setDefaultAuthenticator)
      at java.security.AccessControlContext.checkPermission(AccessControlContext.java:269)
      at java.security.AccessController.checkPermission(AccessController.java:401)
      at java.lang.SecurityManager.checkPermission(SecurityManager.java:524)
      at java.net.Authenticator.setDefault(Authenticator.java:84)
      at com.wim.ImgReader.process(ImgReader.java:65)
      at com.wim.ImgReader.doGet(ImgReader.java:35)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:126)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:103)
      at com.caucho.server.http.FilterChainServlet.doFilter(FilterChainServlet.java:96)
      at com.caucho.server.http.Invocation.service(Invocation.java:315)
      at com.caucho.server.http.CacheInvocation.service(CacheInvocation.java:135)
      at com.caucho.server.http.RunnerRequest.handleRequest(RunnerRequest.java:346)
      at com.caucho.server.http.RunnerRequest.handleConnection(RunnerRequest.java:274)
      at com.caucho.server.TcpConnection.run(TcpConnection.java:139)
      at java.lang.Thread.run(Thread.java:534)

So basically the exception is being thrown when I attempt call Authenticator.setDefault(new DefaultAuthenticator());
Does this mean I can't set my own Authenticator? If so why not? :-(
0
 
CEHJCommented:
>>Does this mean I can't set my own Authenticator?

Probably means you'll have to do so in a different way

>>If so why not? :-(

Probably because the container considers that a usurpation of its own security functionality, even an attempt to bypass it.

Start by checking out the security policy of the container
0
 
CEHJCommented:
:-)
0
 
OBCTAuthor Commented:
Forgot to say thank you :-)
Thanks.
0
 
CEHJCommented:
No problem ;-) If you can get around to it, it would be very useful for future viewers of this q. to provide a short summary of how you implemented the solution
0
 
OBCTAuthor Commented:
I usually do, I just got lazy this time :-p

Due to the fact I was testing this servlet on a shared server, I couldnt gain access to the security policy file to adjust the permissions.
So I'm considering getting a dedicated server but until then, I'll look into realms using JNDI as another possible option.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now