When a deployed web application created for the Sun Java System Application Server contains a "jar" file, contents of the jar file may be exposed.

This issue can occur in the following releases:

SPARC Platform

• Sun Java System Application Server Platform Edition 8.1 2005 Q1
• Sun Java System Applciation Server Platform Edition 8.1 2005 Q1 UR1
• Sun Java System Applciation Server Enterprise Edition 8.1 2005 Q1 without (file-based) patch 119169-01 or (SVR4) patch 119166-06

x86 Platform

• Sun Java System Application Server Platform Edition 8.1 2005 Q1
• Sun Java System Application Server Platform Edition 8.1 2005 Q1 UR1
• Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 without (file based) patch 119170-01 or (SVR4) patch 119167-06

Linux Platform

• Sun Java System Application Server Platform Edition 8.1 2005 Q1
• Sun Java System Application Server Platform Edition 8.1 2005 Q1 UR1
• Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 without (file based) patch 119171-01 or RHEL2.1/RHEL3.0 (Pkg_patch) 119168-05

Windows Platform

• Sun Java System Application Server Platform Edition 8.1 2005 Q1
• Sun Java System Application Server Platform Edition 8.1 2005 Q1 UR1

Notes:

1. Sun Java System Application Server 8 Platform Edition is not affected by this issue.
2. This issue will only affect deployed applications which contain a JAR archive in the deployment package.

To determine the version of Sun Java System Application server, the following command can be run:

    $ <AS_INSTALL>/bin/asadmin version --verbose
    Unable to communicate with admin server, getting version locally.
    Version = Sun Java System Application Server Enterprise Edition 8.1 
    (build b43-fcs)
    Command version executed successfully.

(Where <AS_INSTALL> is the installation directory of the Application Server)

There are no reliable symptoms that would indicate the described issue has occurred.

To work around the described issue, use one of the two following methods:

A. Turn off the directory listing feature for web apps, which is on by default:

1. Edit $<AS_DOMAIN>/domain1/config/default-web.xml

2. Set the listing value to false:

      <param-name>listings</param-name>
      <param-value>false</param-value>

3. Restart the domain

Or,

B. Delete the files that got unjarred from the jar files under $<AS_DOMAIN>/domain1/applications/j2ee-modules/<application-name>/ after deployment of the web application.

Example: If the file "com/sun/appserv/web/taglibs/cache/CacheTag.class" was packaged as appserv-tags.jar (This appserv-tags.jar file was packaged in the war file webapps-caching.war) then after deployment of the war file webapps-caching.war, delete the directory "com" under $<AS_DOMAIN>/domain1/applications/j2ee-modules/webapps-caching.

This issue is addressed in the following releases:

SPARC Platform

• Sun Java System Application Server Platform Edition 8.1 2005Q2 UR2 available from http://java.sun.com/j2ee/1.4/download.html
• Sun Java System Application Server Enterprise Edition 8.1 2005Q1 with (file based) patch 119169-01 or later
• Sun Java System Application Server Enterprise Edition 8.1 2005Q1 with (SVR4) patch 119166-06 or later

x86 Platform

• Sun Java System Application Server Platform Edition 8.1 2005Q2 UR2 available from http://java.sun.com/j2ee/1.4/download.html
• Sun Java System Application Server Enterprise Edition 8.1 2005Q1 with (file based) patch 119170-01 or later
• Sun Java System Application Server Enterprise Edition 8.1 2005Q1 with (SVR4) patch 119167-06 or later

Linux Platform

• Sun Java System Application Server Platform Edition 8.1 2005Q2 UR2 available from http://java.sun.com/j2ee/1.4/download.html
• Sun Java System Application Server Enterprise Edition 8.1 2005Q1 with (file based) patch 119171-01 or later
• Sun Java System Application Server Enterprise Edition 8.1 2005Q1 with RHEL2.1/RHEL3.0 (Pkg_patch) 119168-05 or later

Windows Platform

• Sun Java System Application Server Platform Edition 8.1 2005Q2 UR2 available from http://java.sun.com/j2ee/1.4/download.html

NOTE: The resolution outlined above will only affect applications deployed after the installation of the above patches or upgrades. To correct web applications that were deployed prior to installing the resolution, workaround "B" (in Relief/Workaround) needs to be applied to those applications.

This solution has no attachment