Robin, Haven't yet checked this out.
But your IT manager says "have to do more testing to see which security grant it needs". Actually, your error log shows this clearly. You need java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.core WILL On 10/12/06, Robin Mannering <[EMAIL PROTECTED]> wrote:
Hi Will, Thanks for your help, let me know if there is anything I can do. I have a fear my hosting provider cannot commit the resources to solving this problem anytime soon. Thanks Robin >From: "Will Glass-Husain" <[EMAIL PROTECTED]> >Reply-To: "Velocity Users List" <velocity-user@jakarta.apache.org> >To: "Velocity Users List" <velocity-user@jakarta.apache.org> >Subject: Re: Velocity Config/Security Issue >Date: Thu, 12 Oct 2006 04:59:38 -0700 > >I'll play around with this. Might be a day or so. > >On 10/11/06, Robin Mannering <[EMAIL PROTECTED]> wrote: >> >>Hi, >> >>Sorry I forgot the velocity version: Velocity 1.4 >> >> >From: "Will Glass-Husain" <[EMAIL PROTECTED]> >> >Reply-To: "Velocity Users List" <velocity-user@jakarta.apache.org> >> >To: "Velocity Users List" <velocity-user@jakarta.apache.org> >> >Subject: Re: Velocity Config/Security Issue >> >Date: Wed, 11 Oct 2006 15:54:51 -0700 >> > >> >One more question. What's your platform >> >-- version of Tomcat >> >-- version of JDK >> >-- Win, Linux, etc? >> > >> >(and to repeat the last email for redundancy) >> >-- VelocityServlet or VelocityViewServlet (with version) >> > >> >I run an instance of Tomcat with a security policy. I've found >> >numerous inconsistencies even within Tomcat that require security >> >permissions to be opened up. (There was a bug with the 4.1.x series >> >for example for which I had to open up something similar). >> > >> >I tend to think you've hit a Tomcat bug triggered by the way Velocity >> >accesses the request object. Send the info back and we can dig into >> >this. >> > >> >WILL >> > >> >On 10/11/06, Robin Mannering <[EMAIL PROTECTED]> wrote: >> >>Sorry, some more logging that might make it clearer. >> >> >> >>My local machine uses request objects: >> >>[EMAIL PROTECTED] >> >>and >> >>[EMAIL PROTECTED] >> >> >> >>Whereas the hosted server with the problem uses: >> >>[EMAIL PROTECTED] >> >>and >> >>[EMAIL PROTECTED] >> >> >> >> >> >> >> >>Log 1 - From action class running on hosted server >> >>-------------------------------------------------- >> >>11-Oct 17:52:49.647 |DEBUG| TestAction.executeLogic >> >> | request = '[EMAIL PROTECTED]' >> >>11-Oct 17:52:49.648 |DEBUG| TestAction.executeLogic >> >> | request.getContextPath() = '' >> >>11-Oct 17:52:49.648 |DEBUG| TestAction.executeLogic >> >> | request.getMethod() = 'GET' >> >>11-Oct 17:52:49.649 |DEBUG| TestAction.executeLogic >> >> | request.getSession().getId() = >>'28536F4542A222DC6F0E6DE23442DC6D' >> >>11-Oct 17:52:49.650 |DEBUG| TestAction.executeLogic >> >> | request.getRequestURI() = '/test.htm' >> >>11-Oct 17:52:49.650 |DEBUG| TestAction.executeLogic >> >> | request.getRequestURL() = >>'http://www.chaletexplorer.com/test.htm' >> >>11-Oct 17:52:49.651 |DEBUG| TestAction.executeLogic >> >> | request.getServletPath() = '/test.htm' >> >> >> >> >> >>Log 2 - From VM Template/page running on hosted server >> >>------------------------------------------------------ >> >>request = '[EMAIL PROTECTED]' >> >>request.contextPath = '/' >> >>request.method = 'GET' >> >>request.session.id = '$request.session.id' >> >>request.requestURI = '//test.vm' >> >>request.requestURL = 'http://www.chaletexplorer.com//test.vm' >> >>request.servletPath = '/test.vm' >> >> >> >> >> >>Log 3 - From action class (running on my local machine) >> >>------------------------------------------------------- >> >> >> >>12-Oct 00:10:17.516 |DEBUG| TestAction.executeLogic >> >> | request = >>'[EMAIL PROTECTED]' >> >>12-Oct 00:10:17.516 |DEBUG| TestAction.executeLogic >> >> | request.getContextPath() = '/indy' >> >>12-Oct 00:10:17.516 |DEBUG| TestAction.executeLogic >> >> | request.getMethod() = 'GET' >> >>12-Oct 00:10:17.516 |DEBUG| TestAction.executeLogic >> >> | request.getSession().getId() = >>'79E50B9B3F25A2897BF420521952D51F' >> >>12-Oct 00:10:17.516 |DEBUG| TestAction.executeLogic >> >> | request.getRequestURI() = '/indy/test.htm' >> >>12-Oct 00:10:17.532 |DEBUG| TestAction.executeLogic >> >> | request.getRequestURL() = 'http://localhost:8080/indy/test.htm' >> >>12-Oct 00:10:17.532 |DEBUG| TestAction.executeLogic >> >> | request.getServletPath() = '/test.htm' >> >> >> >> >> >>Log 4 - From VM Template/page (running on my local machine) >> >>----------------------------------------------------------- >> >>request = '[EMAIL PROTECTED]' >> >>request.contextPath = '/indy' >> >>request.method = 'GET' >> >>request.session.id = '79E50B9B3F25A2897BF420521952D51F' >> >>request.requestURI = '/indy/test.vm' >> >>request.requestURL = 'http://localhost:8080/indy/test.htm' >> >>request.servletPath = '/test.vm' >> >> >> >> >> >> >> >>-------------------------------------------------- >> >> >> >> >> >> >From: "Robin Mannering" <[EMAIL PROTECTED]> >> >> >Reply-To: "Velocity Users List" <velocity-user@jakarta.apache.org> >> >> >To: velocity-user@jakarta.apache.org >> >> >Subject: Re: Velocity Config/Security Issue >> >> >Date: Wed, 11 Oct 2006 22:08:29 +0000 >> >> > >> >> >Hi all, >> >> > >> >> >Can anyone shed some light? I have some more facts now.... >> >> > >> >> >The original problem was Velocity required permission on a core >>package >> >> >within catalina. Is this because it couldn't find the 'correct' >>request >> >> >object. >> >> > >> >> >Here are some logs, the first is from a Struts action class, the >>second >> >>is >> >> >output from the velocity template forwarded to immediately after the >> >>action >> >> >class. They refer to different request objects that ultimately give >> >> >different values. Should the velocity template not also refer to >> >> >[EMAIL PROTECTED] ?? >> >> > >> >> >Any help/clues would be greatly appreciated. >> >> > >> >> >Log 1 - From action class >> >> >---------------------------------- >> >> >11-Oct 17:52:49.647 |DEBUG| TestAction.executeLogic >> >> > | request = >>'[EMAIL PROTECTED]' >> >> >11-Oct 17:52:49.648 |DEBUG| TestAction.executeLogic >> >> > | request.getContextPath() = '' >> >> >11-Oct 17:52:49.648 |DEBUG| TestAction.executeLogic >> >> > | request.getMethod() = 'GET' >> >> >11-Oct 17:52:49.649 |DEBUG| TestAction.executeLogic >> >> > | request.getSession().getId() = >>'28536F4542A222DC6F0E6DE23442DC6D' >> >> >11-Oct 17:52:49.650 |DEBUG| TestAction.executeLogic >> >> > | request.getRequestURI() = '/test.htm' >> >> >11-Oct 17:52:49.650 |DEBUG| TestAction.executeLogic >> >> > | request.getRequestURL() = >> >>'http://www.chaletexplorer.com/test.htm' >> >> >11-Oct 17:52:49.651 |DEBUG| TestAction.executeLogic >> >> > | request.getServletPath() = '/test.htm' >> >> > >> >> >Log 2 - From VM Template/page >> >> >----------------------------- >> >> >request = '[EMAIL PROTECTED]' >> >> > >> >> >request.contextPath = '/' >> >> > >> >> >request.method = 'GET' >> >> > >> >> >request.session.id = '$request.session.id' >> >> > >> >> >request.requestURI = '//test.vm' >> >> > >> >> >request.requestURL = 'http://www.chaletexplorer.com//test.vm' >> >> > >> >> >request.servletPath = '/test.vm' >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> >>From: "Will Glass-Husain" <[EMAIL PROTECTED]> >> >> >>Reply-To: "Velocity Users List" <velocity-user@jakarta.apache.org> >> >> >>To: "Velocity Users List" <velocity-user@jakarta.apache.org> >> >> >>Subject: Re: Velocity Config/Security Issue >> >> >>Date: Wed, 11 Oct 2006 06:25:35 -0700 >> >> >> >> >> >>I don't think it's Velocity which requires that permission, I'm >> >> >>guessing it's the request object which is ultimately provided by >> >> >>Tomcat... >> >> >> >> >> >>WILL >> >> >> >> >> >>On 10/11/06, Robin Mannering <[EMAIL PROTECTED]> wrote: >> >> >>>Hi Will, >> >> >>> >> >> >>>Thanks for the links, I'll give them a thorough read. >> >> >>> >> >> >>>I've been working with the hosting company who set up the server >> >>config >> >> >>>and >> >> >>>they have give the application permission to >>org.apache.catalina.core >> >> >>>although they are troubled to do so. >> >> >>> >> >> >>>They seem very surprised that velocity requires this permission. >> >> >>> >> >> >>>Since they granted the permission, the problem has cleared up and >> >> >>>$request.contextPath now has a value within a velocity template >> >>(although >> >> >>>this has changed from an empty value to '/' so I need to make >>source >> >> >>>amendments. Not a problem, just worrying it takes on a new value >>in a >> >> >>>different hosting environment. >> >> >>> >> >> >>>Thanks again for your help >> >> >>>Robin >> >> >>> >> >> >>> >> >> >>> >From: "Will Glass-Husain" <[EMAIL PROTECTED]> >> >> >>> >Reply-To: "Velocity Users List" >><velocity-user@jakarta.apache.org> >> >> >>> >To: "Velocity Users List" <velocity-user@jakarta.apache.org> >> >> >>> >Subject: Re: Velocity Config/Security Issue >> >> >>> >Date: Tue, 10 Oct 2006 15:04:32 -0700 >> >> >>> > >> >> >>> >What app server are you using? This is a server configuration >> >>issue. >> >> >>> >If someone else set it up, you might also want to work with them. >> >> >>> > >> >> >>> >If you're using Tomcat, check out: >> >> >>> >> >http://tomcat.apache.org/tomcat-5.5-doc/security-manager-howto.html >> >> >>> > >> >> >>> >And you should read the Sun docs at: >> >> >>> >> >http://java.sun.com/j2se/1.5.0/docs/guide/security/permissions.html >> >> >>> > >> >> >>> >WILL >> >> >>> > >> >> >>> >On 10/10/06, Robin Mannering <[EMAIL PROTECTED]> >>wrote: >> >> >>> >>Hi Will, >> >> >>> >> >> >> >>> >>thanks for your help. Sorry. I'm new to permissions, could you >> >>explain >> >> >>>a >> >> >>> >>little more for me please. >> >> >>> >> >> >> >>> >>Thanks >> >> >>> >>Robin >> >> >>> >> >> >> >>> >> >> >> >>> >> >From: "Will Glass-Husain" <[EMAIL PROTECTED]> >> >> >>> >> >Reply-To: "Velocity Users List" >> >><velocity-user@jakarta.apache.org> >> >> >>> >> >To: "Velocity Users List" <velocity-user@jakarta.apache.org> >> >> >>> >> >Subject: Re: Velocity Config/Security Issue >> >> >>> >> >Date: Tue, 10 Oct 2006 08:24:57 -0700 >> >> >>> >> > >> >> >>> >> >Looks like the security policy on your app server needs to be >> >>tuned. >> >> >>> >> >Have you tried giving the permission >>java.lang.RuntimePermission >> >>for >> >> >>> >> >accessClassInPackage.org.apache.catalina.core? >> >> >>> >> > >> >> >>> >> >WILL >> >> >>> >> > >> >> >>> >> >On 10/10/06, Robin Mannering <[EMAIL PROTECTED]> >> >>wrote: >> >> >>> >> >>Hi all, >> >> >>> >> >> >> >> >>> >> >>I'm new back on this list in a while, please excuse if the >> >> >>>following >> >> >>> >> >>problem >> >> >>> >> >>is obvious/has been posted before. >> >> >>> >> >> >> >> >>> >> >>I am transferring an existing site based on Struts/Velocity >>to a >> >> >>>new >> >> >>> >>web >> >> >>> >> >>hosting provider. The application runs smoothly on its >>current >> >> >>>host. >> >> >>> >> >> >> >> >>> >> >>However, there seems to be one last stumbling block with the >>new >> >> >>>server >> >> >>> >>in >> >> >>> >> >>that the Struts object; 'request' appears not to be in scope >> >>within >> >> >>> >> >>velocity >> >> >>> >> >>pages (there may be others not in scope). >> >> >>> >> >> >> >> >>> >> >>I'm using the VelocityLayoutServlet if that helps. >> >> >>> >> >> >> >> >>> >> >>I've attached a snippet of the log file that points to the >> >>problem >> >> >>>I >> >> >>> >> >>mentioned, notable the 'java.security.AccessControlException' >> >>and >> >> >>> >> >>'$request.contextPath is not a valid reference' >> >> >>> >> >> >> >> >>> >> >>All other velocity directives appear to be functioning as >> >>normal. >> >> >>> >> >> >> >> >>> >> >>Has anyone seen this behaviour before? Any help would be >>greatly >> >> >>> >> >>appreciated. >> >> >>> >> >> >> >> >>> >> >>Kind regards >> >> >>> >> >>Robin >> >> >>> >> >> >> >> >>> >> >>10-Oct 02:45:21.752 |INFO | [/].log >> >> >>> >> >> | Velocity [info] ResourceManager : found >> >> >>> >>/pages/frontend/home.vm >> >> >>> >> >>with loader >>org.apache.velocity.tools.view.servlet.WebappLoader >> >> >>> >> >>10-Oct 02:45:21.761 |INFO | [/].log >> >> >>> >> >> | Velocity [error] PROGRAMMER ERROR : >>PropertyExector() : >> >> >>> >> >>java.security.AccessControlException: access denied >> >> >>> >> >>(java.lang.RuntimePermission >> >> >>> >> >>accessClassInPackage.org.apache.catalina.core) >> >> >>> >> >>10-Oct 02:45:21.763 |INFO | [/].log >> >> >>> >> >> | Velocity [error] ASTIdentifier.execute() : >>identifier = >> >> >>> >> >>contextPath >> >> >>> >> >>: java.security.AccessControlException: access denied >> >> >>> >> >>(java.lang.RuntimePermission >> >> >>> >> >>accessClassInPackage.org.apache.catalina.core) >> >> >>> >> >>10-Oct 02:45:21.764 |INFO | [/].log >> >> >>> >> >> | Velocity [error] RHS of #set statement is null. >>Context >> >> >>>will >> >> >>> >>not >> >> >>> >> >>be >> >> >>> >> >>modified. /pages/frontend/home.vm [line 9, column 1] >> >> >>> >> >>10-Oct 02:45:21.772 |INFO | [/].log >> >> >>> >> >> | Velocity [error] PROGRAMMER ERROR : >>PropertyExector() : >> >> >>> >> >>java.security.AccessControlException: access denied >> >> >>> >> >>(java.lang.RuntimePermission >> >> >>> >> >>accessClassInPackage.org.apache.catalina.core) >> >> >>> >> >>10-Oct 02:45:21.773 |INFO | [/].log >> >> >>> >> >> | Velocity [error] ASTIdentifier.execute() : >>identifier = >> >> >>> >> >>contextPath >> >> >>> >> >>: java.security.AccessControlException: access denied >> >> >>> >> >>(java.lang.RuntimePermission >> >> >>> >> >>accessClassInPackage.org.apache.catalina.core) >> >> >>> >> >>10-Oct 02:45:21.774 |INFO | [/].log >> >> >>> >> >> | Velocity [warn] >> >> >>> >> >>org.apache.velocity.runtime.exception.ReferenceException: >> >>reference >> >> >>>: >> >> >>> >> >>template = /pages/frontend/home.vm [line 32,column 34] : >> >> >>> >> >>$request.contextPath is not a valid reference. >> >> >>> >> >> >> >> >>> >> >> >> >>_________________________________________________________________ >> >> >>> >> >>Windows Live� Messenger has arrived. Click here to download >>it >> >>for >> >> >>> >>free! >> >> >>> >> >>http://imagine-msn.com/messenger/launch80/?locale=en-gb >> >> >>> >> >> >> >> >>> >> >> >> >> >>> >> >> >> >>> >> >> >> >>--------------------------------------------------------------------- >> >> >>> >> >>To unsubscribe, e-mail: >> >> >>>[EMAIL PROTECTED] >> >> >>> >> >>For additional commands, e-mail: >> >> >>>[EMAIL PROTECTED] >> >> >>> >> >> >> >> >>> >> >> >> >> >>> >> > >> >> >>> >> > >> >> >>> >> >-- >> >> >>> >> >Forio Business Simulations >> >> >>> >> > >> >> >>> >> >Will Glass-Husain >> >> >>> >> >[EMAIL PROTECTED] >> >> >>> >> >www.forio.com >> >> >>> >> > >> >> >>> >> >> >> >>> >> >> >--------------------------------------------------------------------- >> >> >>> >> >To unsubscribe, e-mail: >> >>[EMAIL PROTECTED] >> >> >>> >> >For additional commands, e-mail: >> >> >>>[EMAIL PROTECTED] >> >> >>> >> > >> >> >>> >> >> >> >>> >> >>_________________________________________________________________ >> >> >>> >>Be the first to hear what's new at MSN - sign up to our free >> >> >>>newsletters! >> >> >>> >>http://www.msn.co.uk/newsletters >> >> >>> >> >> >> >>> >> >> >> >>> >> >> >> >>--------------------------------------------------------------------- >> >> >>> >>To unsubscribe, e-mail: >> >>[EMAIL PROTECTED] >> >> >>> >>For additional commands, e-mail: >> >>[EMAIL PROTECTED] >> >> >>> >> >> >> >>> >> >> >> >>> > >> >> >>> > >> >> >>> >-- >> >> >>> >Forio Business Simulations >> >> >>> > >> >> >>> >Will Glass-Husain >> >> >>> >[EMAIL PROTECTED] >> >> >>> >www.forio.com >> >> >>> > >> >> >>> >> >> >--------------------------------------------------------------------- >> >> >>> >To unsubscribe, e-mail: >>[EMAIL PROTECTED] >> >> >>> >For additional commands, e-mail: >> >>[EMAIL PROTECTED] >> >> >>> > >> >> >>> >> >> >>>_________________________________________________________________ >> >> >>>Download the new Windows Live Toolbar, including Desktop search! >> >> >>>http://toolbar.live.com/?mkt=en-gb >> >> >>> >> >> >>> >> >> >> >>>--------------------------------------------------------------------- >> >> >>>To unsubscribe, e-mail: >>[EMAIL PROTECTED] >> >> >>>For additional commands, e-mail: >>[EMAIL PROTECTED] >> >> >>> >> >> >>> >> >> >> >> >> >> >> >> >>-- >> >> >>Forio Business Simulations >> >> >> >> >> >>Will Glass-Husain >> >> >>[EMAIL PROTECTED] >> >> >>www.forio.com >> >> >> >> >> >> >>--------------------------------------------------------------------- >> >> >>To unsubscribe, e-mail: [EMAIL PROTECTED] >> >> >>For additional commands, e-mail: >>[EMAIL PROTECTED] >> >> >> >> >> > >> >> >_________________________________________________________________ >> >> >Windows Live� Messenger has arrived. Click here to download it for >> >>free! >> >> >http://imagine-msn.com/messenger/launch80/?locale=en-gb >> >> > >> >> > >> >> >--------------------------------------------------------------------- >> >> >To unsubscribe, e-mail: [EMAIL PROTECTED] >> >> >For additional commands, e-mail: >>[EMAIL PROTECTED] >> >> > >> >> >> >>_________________________________________________________________ >> >>Be the first to hear what's new at MSN - sign up to our free >>newsletters! >> >>http://www.msn.co.uk/newsletters >> >> >> >> >> >>--------------------------------------------------------------------- >> >>To unsubscribe, e-mail: [EMAIL PROTECTED] >> >>For additional commands, e-mail: [EMAIL PROTECTED] >> >> >> >> >> > >> > >> >-- >> >Forio Business Simulations >> > >> >Will Glass-Husain >> >[EMAIL PROTECTED] >> >www.forio.com >> >>_________________________________________________________________ >>Windows Live� Messenger has arrived. Click here to download it for free! >>http://imagine-msn.com/messenger/launch80/?locale=en-gb >> >> >>--------------------------------------------------------------------- >>To unsubscribe, e-mail: [EMAIL PROTECTED] >>For additional commands, e-mail: [EMAIL PROTECTED] >> >> > > >-- >Forio Business Simulations > >Will Glass-Husain >[EMAIL PROTECTED] >www.forio.com _________________________________________________________________ The new Windows Live Toolbar helps you guard against viruses http://toolbar.live.com/?mkt=en-gb --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
-- Forio Business Simulations Will Glass-Husain [EMAIL PROTECTED] www.forio.com
