grant execute file permission to a JSP?

[Hank Barta]

I'm trying to run an external command from a JSP and instead get
the exception:

java.security.AccessControlException: access denied (java.io.FilePermission /usr/bin/killall execute)

which seems clear enough. (The code runs and works from within a
console application.)

The OS is Linux and the application server is the one that
installs with the J2EE sdk from Sun. It is installed within my
home directory and runs under my user ID exposing deployed JSPs
at http://localhost:8080/

I've added the following code to both my ~/.java.policy file and
the ${java.home}/jdk/jre/lib/security/java.policy file:

grant codeBase "http://localhost:8080/-" {
permission java.io.FilePermission "/usr/bin/killall", "execute";
permission java.security.AllPermission;
};

Neither of the entries in either of the files makes any
difference. The only change I've made that has any affect at all
is to change the command from 'killall ...' to '/usr/bin/killall
...' which changed the file reference in the exception from "<<ALL
FILES>>" to "/usr/bin/killall".

Each time I made a change in the policy files, I restarted the
application server to make sure it was using the new file contents.

I'm clearly overlooking something or have something wrong. Any
suggestions on how to resolve this would be most welcomed!

thanks,
hank

 

[Hank Barta]

OK, a bit of the solution is changing:

grant codeBase "http://localhost:8080/-" {
permission java.io.FilePermission "/usr/bin/killall", "execute";
permission java.security.AllPermission;
};

to:

grant {
permission java.io.FilePermission "/usr/bin/killall", "execute";
permission java.security.AllPermission;
};


But I suspect that this grants the indicated permissions to
everything. How can I restrict this to my JSPs? In other words,
what should the "CodeBase "http://localhost:8080/-" be for JSPs on
my host? Or is this the correct solution?

thanks,
hank