[ http://issues.apache.org/jira/browse/VELTOOLS-66?page=comments#action_12451502 ]

Will Glass-Husain commented on VELTOOLS-66:

I still don't think this is an appropriate log message. Why give a stack trace? We don't when a reference fails. (for example).

The user puts a reference into the page. It works. The fact that a security exception was hit is an internal implementation detail, well below the DEBUG level of concern.

By the way, very nice job on this patch, Henning. A nice clean up of the introspector as well as a good resolution of this issue.

Velocity Tools gives access exception with $request reference under Tomcat security manager

URL: http://issues.apache.org/jira/browse/VELTOOLS-66
Project: VelocityTools
Issue Type: New Feature
Components: VelocityView
Affects Versions: 1.2
Reporter: Will Glass-Husain

I'm labeling this as a bug, though it's arguable whether the fault is of Tomcat or Velocity. Regardless, we should apply a workaround. I've replicated this issue with Velocity 1.4 / Tools 1.2 / JDK 1.5 / Tomcat 5.5
The problem. When the Tomcat is run under the default security manager settings, it prohibits reflection on org.catalina classes. This means that the reference $request.session.id fails with an access violation
INFO: Velocity [error] PROGRAMMER ERROR : PropertyExector() : java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.connector)
sometimes the package given is org.apache.catalina.core, somtimes org.apache.catalina.session, depending on various factors.
Users can alter their security policy to allow this access. But this is an obscure procedure and may not be feasible if you do not control your hosting environment. For the record, the settings for catalina.policy are (change the path to suit your webapp)
grant codeBase "file:${catalina.home}/webapps/simple/WEB-INF/lib/velocity-1.4.jar"
permission java.lang.RuntimePermission
permission java.lang.RuntimePermission
permission java.lang.RuntimePermission
grant codeBase "file:${catalina.home}/webapps/simple/WEB-INF/lib/velocity-tools-view-1.2.jar"
permission java.lang.RuntimePermission
permission java.lang.RuntimePermission
permission java.lang.RuntimePermission
As an alternative, I propose that the Velocity Tools project solve this by create a wrapper object for HttpServletRequest. (presumably the problem also exists for $response, though I haven't tried it). This object would simply pass through all calls to the server-provided HttpServletRequest. Obviously, there would need to be a parallel wrapper for HttpSession, HttpServletContext, and similar objects available from HttpServletRequest methods. The result would be that the Velocity page would never apply reflection to a Catalina class. (and hence never generate this security error).
This issue is in reference to a problem encountered and described on the user list by Robin Mannering.
This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

To unsubscribe, e-mail: dev-unsubscribe@velocity.apache.org
For additional commands, e-mail: dev-help@velocity.apache.org

Search Discussions

Discussion Posts


Follow ups

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 18 of 19 | next ›
Discussion Overview
groupdev @
postedOct 15, '06 at 8:48a
activeJan 25, '07 at 5:27a



site design / logo © 2021 Grokbase