Re: Velocity Config/Security Issue

Robin Mannering
Wed, 11 Oct 2006 23:37:42 -0700

Hi Will,

Thanks for your time on this one!

I'm using VelocityLayoutServlet btw.

Here are the details of my local machine and that of my hosted environment.The technician I have been working with me has just sent me this email whichmay be of help too:


------------------------

I've established that this is a security manager problem. When I turn offthe security manager, your test page shows a meaningful value forrequest.session.id. I'll need to do more testing to determine which securitygrant it needs though. Even with full debugging turned on I don't see anyaccess denied errors. I'll have to see whether Velocity has anydocumentation on what it needs.

------------------------

Local Machine:

org.apache.velocity.tools.view.servlet.VelocityLayoutServlet
Tomcat 5.0
j2sdk1.4.2_05
Apache is NOT installed.
Win XP


Hosted server

org.apache.velocity.tools.view.servlet.VelocityLayoutServlet
Tomcat 5.5.17 (Standard install)
JDK 5
Apache
Linux

From: "Will Glass-Husain" <[EMAIL PROTECTED]>
Reply-To: "Velocity Users List" <velocity-user@jakarta.apache.org>
To: "Velocity Users List" <velocity-user@jakarta.apache.org>
Subject: Re: Velocity Config/Security Issue
Date: Wed, 11 Oct 2006 15:54:51 -0700

One more question.  What's your platform
-- version of Tomcat
-- version of JDK
-- Win, Linux, etc?

(and to repeat the last email for redundancy)
-- VelocityServlet or VelocityViewServlet (with version)

I run an instance of Tomcat with a security policy.  I've found
numerous inconsistencies even within Tomcat that require security
permissions to be opened up.  (There was a bug with the 4.1.x series
for example for which I had to open up something similar).

I tend to think you've hit a Tomcat bug triggered by the way Velocity
accesses the request object.  Send the info back and we can dig into
this.

WILL

On 10/11/06, Robin Mannering <[EMAIL PROTECTED]> wrote:

Sorry, some more logging that might make it clearer.

My local machine uses request objects:
[EMAIL PROTECTED]
and
[EMAIL PROTECTED]

Whereas the hosted server with the problem uses:
[EMAIL PROTECTED]
and
[EMAIL PROTECTED]



Log 1 - From action class running on hosted server
--------------------------------------------------
11-Oct 17:52:49.647 |DEBUG|                TestAction.executeLogic
    | request = '[EMAIL PROTECTED]'
11-Oct 17:52:49.648 |DEBUG|                TestAction.executeLogic
    | request.getContextPath() = ''
11-Oct 17:52:49.648 |DEBUG|                TestAction.executeLogic
    | request.getMethod() = 'GET'
11-Oct 17:52:49.649 |DEBUG|                TestAction.executeLogic
    | request.getSession().getId() = '28536F4542A222DC6F0E6DE23442DC6D'
11-Oct 17:52:49.650 |DEBUG|                TestAction.executeLogic
    | request.getRequestURI() = '/test.htm'
11-Oct 17:52:49.650 |DEBUG|                TestAction.executeLogic
    | request.getRequestURL() = 'http://www.chaletexplorer.com/test.htm'
11-Oct 17:52:49.651 |DEBUG|                TestAction.executeLogic
    | request.getServletPath() = '/test.htm'


Log 2 - From VM Template/page running on hosted server
------------------------------------------------------
request = '[EMAIL PROTECTED]'
request.contextPath = '/'
request.method = 'GET'
request.session.id = '$request.session.id'
request.requestURI = '//test.vm'
request.requestURL = 'http://www.chaletexplorer.com//test.vm'
request.servletPath = '/test.vm'


Log 3 - From action class (running on my local machine)
-------------------------------------------------------

12-Oct 00:10:17.516 |DEBUG|                TestAction.executeLogic
    | request = '[EMAIL PROTECTED]'
12-Oct 00:10:17.516 |DEBUG|                TestAction.executeLogic
    | request.getContextPath() = '/indy'
12-Oct 00:10:17.516 |DEBUG|                TestAction.executeLogic
    | request.getMethod() = 'GET'
12-Oct 00:10:17.516 |DEBUG|                TestAction.executeLogic
    | request.getSession().getId() = '79E50B9B3F25A2897BF420521952D51F'
12-Oct 00:10:17.516 |DEBUG|                TestAction.executeLogic
    | request.getRequestURI() = '/indy/test.htm'
12-Oct 00:10:17.532 |DEBUG|                TestAction.executeLogic
    | request.getRequestURL() = 'http://localhost:8080/indy/test.htm'
12-Oct 00:10:17.532 |DEBUG|                TestAction.executeLogic
    | request.getServletPath() = '/test.htm'


Log 4 - From VM Template/page (running on my local machine)
-----------------------------------------------------------
request = '[EMAIL PROTECTED]'
request.contextPath = '/indy'
request.method = 'GET'
request.session.id = '79E50B9B3F25A2897BF420521952D51F'
request.requestURI = '/indy/test.vm'
request.requestURL = 'http://localhost:8080/indy/test.htm'
request.servletPath = '/test.vm'



--------------------------------------------------


>From: "Robin Mannering" <[EMAIL PROTECTED]>
>Reply-To: "Velocity Users List" <velocity-user@jakarta.apache.org>
>To: velocity-user@jakarta.apache.org
>Subject: Re: Velocity Config/Security Issue
>Date: Wed, 11 Oct 2006 22:08:29 +0000
>
>Hi all,
>
>Can anyone shed some light? I have some more facts now....
>
>The original problem was Velocity required permission on a core package
>within catalina. Is this because it couldn't find the 'correct' request
>object.
>

>Here are some logs, the first is from a Struts action class, the secondis>output from the velocity template forwarded to immediately after theaction

>class.  They refer to different request objects that ultimately give
>different values. Should the velocity template not also refer to
>[EMAIL PROTECTED] ??
>
>Any help/clues would be greatly appreciated.
>
>Log 1 - From action class
>----------------------------------
>11-Oct 17:52:49.647 |DEBUG|                TestAction.executeLogic
>     | request = '[EMAIL PROTECTED]'
>11-Oct 17:52:49.648 |DEBUG|                TestAction.executeLogic
>     | request.getContextPath() = ''
>11-Oct 17:52:49.648 |DEBUG|                TestAction.executeLogic
>     | request.getMethod() = 'GET'
>11-Oct 17:52:49.649 |DEBUG|                TestAction.executeLogic
>     | request.getSession().getId() = '28536F4542A222DC6F0E6DE23442DC6D'
>11-Oct 17:52:49.650 |DEBUG|                TestAction.executeLogic
>     | request.getRequestURI() = '/test.htm'
>11-Oct 17:52:49.650 |DEBUG|                TestAction.executeLogic

> | request.getRequestURL() ='http://www.chaletexplorer.com/test.htm'

>11-Oct 17:52:49.651 |DEBUG|                TestAction.executeLogic
>     | request.getServletPath() = '/test.htm'
>
>Log 2 - From VM Template/page
>-----------------------------
>request = '[EMAIL PROTECTED]'
>
>request.contextPath = '/'
>
>request.method = 'GET'
>
>request.session.id = '$request.session.id'
>
>request.requestURI = '//test.vm'
>
>request.requestURL = 'http://www.chaletexplorer.com//test.vm'
>
>request.servletPath = '/test.vm'
>
>
>
>
>
>
>
>>From: "Will Glass-Husain" <[EMAIL PROTECTED]>
>>Reply-To: "Velocity Users List" <velocity-user@jakarta.apache.org>
>>To: "Velocity Users List" <velocity-user@jakarta.apache.org>
>>Subject: Re: Velocity Config/Security Issue
>>Date: Wed, 11 Oct 2006 06:25:35 -0700
>>
>>I don't think it's Velocity which requires that permission, I'm
>>guessing it's the request object which is ultimately provided by
>>Tomcat...
>>
>>WILL
>>
>>On 10/11/06, Robin Mannering <[EMAIL PROTECTED]> wrote:
>>>Hi Will,
>>>
>>>Thanks for the links, I'll give them a thorough read.
>>>

>>>I've been working with the hosting company who set up the serverconfig

>>>and
>>>they have give the application permission to org.apache.catalina.core
>>>although they are troubled to do so.
>>>
>>>They seem very surprised that velocity requires this permission.
>>>
>>>Since they granted the permission, the problem has cleared up and

>>>$request.contextPath now has a value within a velocity template(although

>>>this has changed from an empty value to '/' so I need to make source
>>>amendments.  Not a problem, just worrying it takes on a new value in a
>>>different hosting environment.
>>>
>>>Thanks again for your help
>>>Robin
>>>
>>>
>>> >From: "Will Glass-Husain" <[EMAIL PROTECTED]>
>>> >Reply-To: "Velocity Users List" <velocity-user@jakarta.apache.org>
>>> >To: "Velocity Users List" <velocity-user@jakarta.apache.org>
>>> >Subject: Re: Velocity Config/Security Issue
>>> >Date: Tue, 10 Oct 2006 15:04:32 -0700
>>> >

>>> >What app server are you using? This is a server configurationissue.

>>> >If someone else set it up, you might also want to work with them.
>>> >
>>> >If you're using Tomcat, check out:
>>> >http://tomcat.apache.org/tomcat-5.5-doc/security-manager-howto.html
>>> >
>>> >And you should read the Sun docs at:
>>> >http://java.sun.com/j2se/1.5.0/docs/guide/security/permissions.html
>>> >
>>> >WILL
>>> >
>>> >On 10/10/06, Robin Mannering <[EMAIL PROTECTED]> wrote:
>>> >>Hi Will,
>>> >>

>>> >>thanks for your help. Sorry. I'm new to permissions, could youexplain

>>>a
>>> >>little more for me please.
>>> >>
>>> >>Thanks
>>> >>Robin
>>> >>
>>> >>
>>> >> >From: "Will Glass-Husain" <[EMAIL PROTECTED]>

>>> >> >Reply-To: "Velocity Users List"<velocity-user@jakarta.apache.org>

>>> >> >To: "Velocity Users List" <velocity-user@jakarta.apache.org>
>>> >> >Subject: Re: Velocity Config/Security Issue
>>> >> >Date: Tue, 10 Oct 2006 08:24:57 -0700
>>> >> >

>>> >> >Looks like the security policy on your app server needs to betuned.>>> >> >Have you tried giving the permission java.lang.RuntimePermissionfor

>>> >> >accessClassInPackage.org.apache.catalina.core?
>>> >> >
>>> >> >WILL
>>> >> >

>>> >> >On 10/10/06, Robin Mannering <[EMAIL PROTECTED]>wrote:

>>> >> >>Hi all,
>>> >> >>
>>> >> >>I'm new back on this list in a while, please excuse if the
>>>following
>>> >> >>problem
>>> >> >>is obvious/has been posted before.
>>> >> >>
>>> >> >>I am transferring an existing site based on Struts/Velocity to a
>>>new
>>> >>web
>>> >> >>hosting provider.  The application runs smoothly on its current
>>>host.
>>> >> >>
>>> >> >>However, there seems to be one last stumbling block with the new
>>>server
>>> >>in

>>> >> >>that the Struts object; 'request' appears not to be in scopewithin

>>> >> >>velocity
>>> >> >>pages (there may be others not in scope).
>>> >> >>
>>> >> >>I'm using the VelocityLayoutServlet if that helps.
>>> >> >>

>>> >> >>I've attached a snippet of the log file that points to theproblem

>>>I

>>> >> >>mentioned, notable the 'java.security.AccessControlException'and

>>> >> >>'$request.contextPath is not a valid reference'
>>> >> >>

>>> >> >>All other velocity directives appear to be functioning asnormal.

>>> >> >>
>>> >> >>Has anyone seen this behaviour before? Any help would be greatly
>>> >> >>appreciated.
>>> >> >>
>>> >> >>Kind regards
>>> >> >>Robin
>>> >> >>
>>> >> >>10-Oct 02:45:21.752 |INFO |                       [/].log
>>> >> >>     |  Velocity   [info] ResourceManager : found
>>> >>/pages/frontend/home.vm
>>> >> >>with loader org.apache.velocity.tools.view.servlet.WebappLoader
>>> >> >>10-Oct 02:45:21.761 |INFO |                       [/].log
>>> >> >>     |  Velocity  [error] PROGRAMMER ERROR : PropertyExector() :
>>> >> >>java.security.AccessControlException: access denied
>>> >> >>(java.lang.RuntimePermission
>>> >> >>accessClassInPackage.org.apache.catalina.core)
>>> >> >>10-Oct 02:45:21.763 |INFO |                       [/].log
>>> >> >>     |  Velocity  [error] ASTIdentifier.execute() : identifier =
>>> >> >>contextPath
>>> >> >>: java.security.AccessControlException: access denied
>>> >> >>(java.lang.RuntimePermission
>>> >> >>accessClassInPackage.org.apache.catalina.core)
>>> >> >>10-Oct 02:45:21.764 |INFO |                       [/].log
>>> >> >>     |  Velocity  [error] RHS of #set statement is null. Context
>>>will
>>> >>not
>>> >> >>be
>>> >> >>modified. /pages/frontend/home.vm [line 9, column 1]
>>> >> >>10-Oct 02:45:21.772 |INFO |                       [/].log
>>> >> >>     |  Velocity  [error] PROGRAMMER ERROR : PropertyExector() :
>>> >> >>java.security.AccessControlException: access denied
>>> >> >>(java.lang.RuntimePermission
>>> >> >>accessClassInPackage.org.apache.catalina.core)
>>> >> >>10-Oct 02:45:21.773 |INFO |                       [/].log
>>> >> >>     |  Velocity  [error] ASTIdentifier.execute() : identifier =
>>> >> >>contextPath
>>> >> >>: java.security.AccessControlException: access denied
>>> >> >>(java.lang.RuntimePermission
>>> >> >>accessClassInPackage.org.apache.catalina.core)
>>> >> >>10-Oct 02:45:21.774 |INFO |                       [/].log
>>> >> >>     |  Velocity   [warn]

>>> >> >>org.apache.velocity.runtime.exception.ReferenceException:reference

>>>:
>>> >> >>template = /pages/frontend/home.vm [line 32,column 34] :
>>> >> >>$request.contextPath is not a valid reference.
>>> >> >>

>>> >>>>_________________________________________________________________>>> >> >>Windows Liveï¿½ Messenger has arrived. Click here to download itfor

>>> >>free!
>>> >> >>http://imagine-msn.com/messenger/launch80/?locale=en-gb
>>> >> >>
>>> >> >>
>>> >>

>>>>>---------------------------------------------------------------------

>>> >> >>To unsubscribe, e-mail:
>>>[EMAIL PROTECTED]
>>> >> >>For additional commands, e-mail:
>>>[EMAIL PROTECTED]
>>> >> >>
>>> >> >>
>>> >> >
>>> >> >
>>> >> >--
>>> >> >Forio Business Simulations
>>> >> >
>>> >> >Will Glass-Husain
>>> >> >[EMAIL PROTECTED]
>>> >> >www.forio.com
>>> >> >
>>> >>

>>>>--------------------------------------------------------------------->>> >> >To unsubscribe, e-mail:[EMAIL PROTECTED]

>>> >> >For additional commands, e-mail:
>>>[EMAIL PROTECTED]
>>> >> >
>>> >>
>>> >>_________________________________________________________________
>>> >>Be the first to hear what's new at MSN - sign up to our free
>>>newsletters!
>>> >>http://www.msn.co.uk/newsletters
>>> >>
>>> >>

>>>>>--------------------------------------------------------------------->>> >>To unsubscribe, e-mail:[EMAIL PROTECTED]>>> >>For additional commands, e-mail:[EMAIL PROTECTED]

>>> >>
>>> >>
>>> >
>>> >
>>> >--
>>> >Forio Business Simulations
>>> >
>>> >Will Glass-Husain
>>> >[EMAIL PROTECTED]
>>> >www.forio.com
>>> >

>>>>---------------------------------------------------------------------

>>> >To unsubscribe, e-mail: [EMAIL PROTECTED]

>>> >For additional commands, e-mail:[EMAIL PROTECTED]

>>> >
>>>
>>>_________________________________________________________________
>>>Download the new Windows Live Toolbar, including Desktop search!
>>>http://toolbar.live.com/?mkt=en-gb
>>>
>>>
>>>---------------------------------------------------------------------
>>>To unsubscribe, e-mail: [EMAIL PROTECTED]
>>>For additional commands, e-mail: [EMAIL PROTECTED]
>>>
>>>
>>
>>
>>--
>>Forio Business Simulations
>>
>>Will Glass-Husain
>>[EMAIL PROTECTED]
>>www.forio.com
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: [EMAIL PROTECTED]
>>For additional commands, e-mail: [EMAIL PROTECTED]
>>
>
>_________________________________________________________________

>Windows Liveï¿½ Messenger has arrived. Click here to download it forfree!

>http://imagine-msn.com/messenger/launch80/?locale=en-gb
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]
>

_________________________________________________________________
Be the first to hear what's new at MSN - sign up to our free newsletters!
http://www.msn.co.uk/newsletters


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



--
Forio Business Simulations

Will Glass-Husain
[EMAIL PROTECTED]
www.forio.com


_________________________________________________________________

Windows Live Messenger has arrived. Click here to download it for free!http://imagine-msn.com/messenger/launch80/?locale=en-gb



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to