Skip to main content

This content has been archived and is no longer being updated. Links may not function; however, this content may be relevant to outdated versions of the product.

Support Article

Running console command in non auto-generated JSP



PRPC's non auto-generated JSP has no restriction on which classes are executable and accessible. This means in the JSP we can put a Java code Runtime.getRuntime().exec("cat /etc/passwd"); which will, for example, list out the operating system users' password in a Linux machine. This poses a major security risk which needs to be addressed.


This issue is resolved through the following local change: by implementing a Java security manager policy file. The format of this file is specific to the web application server. PRPC bundles the sample policy file in its war file under the directory prweb.war/WEB-INF/policy-examples/*.policy.

An example of implementation for Tomcat 7 is as follows:

1) Add the following lines to the (the first 2 lines to enable Java security manager, the next 2 lines are system properties used by the policy file)
JAVA_OPTS="$JAVA_OPTS -Dpega.context_root=prweb"
JAVA_OPTS="$JAVA_OPTS -Dpega.tmpdir=/pr_temp"
2) Put tomcat7-prpc.policy to the correct directory (an example file is attached)
This file is an adjustment of the tomct6.policy sample file bundled with PRPC. The list of classes to allow needs to be tweaked depending on each web application server and custom application being developed. A web server administrator would be the best role to tweak this file.

Published January 31, 2016 - Updated October 8, 2020

Was this useful?

0% found this useful

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice
Contact us