I'll play around with this. Might be a day or so. On 10/11/06, Robin Mannering <[EMAIL PROTECTED]> wrote:
Hi, Sorry I forgot the velocity version: Velocity 1.4 >From: "Will Glass-Husain" <[EMAIL PROTECTED]> >Reply-To: "Velocity Users List" <velocity-user@jakarta.apache.org> >To: "Velocity Users List" <velocity-user@jakarta.apache.org> >Subject: Re: Velocity Config/Security Issue >Date: Wed, 11 Oct 2006 15:54:51 -0700 > >One more question. What's your platform >-- version of Tomcat >-- version of JDK >-- Win, Linux, etc? > >(and to repeat the last email for redundancy) >-- VelocityServlet or VelocityViewServlet (with version) > >I run an instance of Tomcat with a security policy. I've found >numerous inconsistencies even within Tomcat that require security >permissions to be opened up. (There was a bug with the 4.1.x series >for example for which I had to open up something similar). > >I tend to think you've hit a Tomcat bug triggered by the way Velocity >accesses the request object. Send the info back and we can dig into >this. > >WILL > >On 10/11/06, Robin Mannering <[EMAIL PROTECTED]> wrote: >>Sorry, some more logging that might make it clearer. >> >>My local machine uses request objects: >>[EMAIL PROTECTED] >>and >>[EMAIL PROTECTED] >> >>Whereas the hosted server with the problem uses: >>[EMAIL PROTECTED] >>and >>[EMAIL PROTECTED] >> >> >> >>Log 1 - From action class running on hosted server >>-------------------------------------------------- >>11-Oct 17:52:49.647 |DEBUG| TestAction.executeLogic >> | request = '[EMAIL PROTECTED]' >>11-Oct 17:52:49.648 |DEBUG| TestAction.executeLogic >> | request.getContextPath() = '' >>11-Oct 17:52:49.648 |DEBUG| TestAction.executeLogic >> | request.getMethod() = 'GET' >>11-Oct 17:52:49.649 |DEBUG| TestAction.executeLogic >> | request.getSession().getId() = '28536F4542A222DC6F0E6DE23442DC6D' >>11-Oct 17:52:49.650 |DEBUG| TestAction.executeLogic >> | request.getRequestURI() = '/test.htm' >>11-Oct 17:52:49.650 |DEBUG| TestAction.executeLogic >> | request.getRequestURL() = 'http://www.chaletexplorer.com/test.htm' >>11-Oct 17:52:49.651 |DEBUG| TestAction.executeLogic >> | request.getServletPath() = '/test.htm' >> >> >>Log 2 - From VM Template/page running on hosted server >>------------------------------------------------------ >>request = '[EMAIL PROTECTED]' >>request.contextPath = '/' >>request.method = 'GET' >>request.session.id = '$request.session.id' >>request.requestURI = '//test.vm' >>request.requestURL = 'http://www.chaletexplorer.com//test.vm' >>request.servletPath = '/test.vm' >> >> >>Log 3 - From action class (running on my local machine) >>------------------------------------------------------- >> >>12-Oct 00:10:17.516 |DEBUG| TestAction.executeLogic >> | request = '[EMAIL PROTECTED]' >>12-Oct 00:10:17.516 |DEBUG| TestAction.executeLogic >> | request.getContextPath() = '/indy' >>12-Oct 00:10:17.516 |DEBUG| TestAction.executeLogic >> | request.getMethod() = 'GET' >>12-Oct 00:10:17.516 |DEBUG| TestAction.executeLogic >> | request.getSession().getId() = '79E50B9B3F25A2897BF420521952D51F' >>12-Oct 00:10:17.516 |DEBUG| TestAction.executeLogic >> | request.getRequestURI() = '/indy/test.htm' >>12-Oct 00:10:17.532 |DEBUG| TestAction.executeLogic >> | request.getRequestURL() = 'http://localhost:8080/indy/test.htm' >>12-Oct 00:10:17.532 |DEBUG| TestAction.executeLogic >> | request.getServletPath() = '/test.htm' >> >> >>Log 4 - From VM Template/page (running on my local machine) >>----------------------------------------------------------- >>request = '[EMAIL PROTECTED]' >>request.contextPath = '/indy' >>request.method = 'GET' >>request.session.id = '79E50B9B3F25A2897BF420521952D51F' >>request.requestURI = '/indy/test.vm' >>request.requestURL = 'http://localhost:8080/indy/test.htm' >>request.servletPath = '/test.vm' >> >> >> >>-------------------------------------------------- >> >> >> >From: "Robin Mannering" <[EMAIL PROTECTED]> >> >Reply-To: "Velocity Users List" <velocity-user@jakarta.apache.org> >> >To: velocity-user@jakarta.apache.org >> >Subject: Re: Velocity Config/Security Issue >> >Date: Wed, 11 Oct 2006 22:08:29 +0000 >> > >> >Hi all, >> > >> >Can anyone shed some light? I have some more facts now.... >> > >> >The original problem was Velocity required permission on a core package >> >within catalina. Is this because it couldn't find the 'correct' request >> >object. >> > >> >Here are some logs, the first is from a Struts action class, the second >>is >> >output from the velocity template forwarded to immediately after the >>action >> >class. They refer to different request objects that ultimately give >> >different values. Should the velocity template not also refer to >> >[EMAIL PROTECTED] ?? >> > >> >Any help/clues would be greatly appreciated. >> > >> >Log 1 - From action class >> >---------------------------------- >> >11-Oct 17:52:49.647 |DEBUG| TestAction.executeLogic >> > | request = '[EMAIL PROTECTED]' >> >11-Oct 17:52:49.648 |DEBUG| TestAction.executeLogic >> > | request.getContextPath() = '' >> >11-Oct 17:52:49.648 |DEBUG| TestAction.executeLogic >> > | request.getMethod() = 'GET' >> >11-Oct 17:52:49.649 |DEBUG| TestAction.executeLogic >> > | request.getSession().getId() = '28536F4542A222DC6F0E6DE23442DC6D' >> >11-Oct 17:52:49.650 |DEBUG| TestAction.executeLogic >> > | request.getRequestURI() = '/test.htm' >> >11-Oct 17:52:49.650 |DEBUG| TestAction.executeLogic >> > | request.getRequestURL() = >>'http://www.chaletexplorer.com/test.htm' >> >11-Oct 17:52:49.651 |DEBUG| TestAction.executeLogic >> > | request.getServletPath() = '/test.htm' >> > >> >Log 2 - From VM Template/page >> >----------------------------- >> >request = '[EMAIL PROTECTED]' >> > >> >request.contextPath = '/' >> > >> >request.method = 'GET' >> > >> >request.session.id = '$request.session.id' >> > >> >request.requestURI = '//test.vm' >> > >> >request.requestURL = 'http://www.chaletexplorer.com//test.vm' >> > >> >request.servletPath = '/test.vm' >> > >> > >> > >> > >> > >> > >> > >> >>From: "Will Glass-Husain" <[EMAIL PROTECTED]> >> >>Reply-To: "Velocity Users List" <velocity-user@jakarta.apache.org> >> >>To: "Velocity Users List" <velocity-user@jakarta.apache.org> >> >>Subject: Re: Velocity Config/Security Issue >> >>Date: Wed, 11 Oct 2006 06:25:35 -0700 >> >> >> >>I don't think it's Velocity which requires that permission, I'm >> >>guessing it's the request object which is ultimately provided by >> >>Tomcat... >> >> >> >>WILL >> >> >> >>On 10/11/06, Robin Mannering <[EMAIL PROTECTED]> wrote: >> >>>Hi Will, >> >>> >> >>>Thanks for the links, I'll give them a thorough read. >> >>> >> >>>I've been working with the hosting company who set up the server >>config >> >>>and >> >>>they have give the application permission to org.apache.catalina.core >> >>>although they are troubled to do so. >> >>> >> >>>They seem very surprised that velocity requires this permission. >> >>> >> >>>Since they granted the permission, the problem has cleared up and >> >>>$request.contextPath now has a value within a velocity template >>(although >> >>>this has changed from an empty value to '/' so I need to make source >> >>>amendments. Not a problem, just worrying it takes on a new value in a >> >>>different hosting environment. >> >>> >> >>>Thanks again for your help >> >>>Robin >> >>> >> >>> >> >>> >From: "Will Glass-Husain" <[EMAIL PROTECTED]> >> >>> >Reply-To: "Velocity Users List" <velocity-user@jakarta.apache.org> >> >>> >To: "Velocity Users List" <velocity-user@jakarta.apache.org> >> >>> >Subject: Re: Velocity Config/Security Issue >> >>> >Date: Tue, 10 Oct 2006 15:04:32 -0700 >> >>> > >> >>> >What app server are you using? This is a server configuration >>issue. >> >>> >If someone else set it up, you might also want to work with them. >> >>> > >> >>> >If you're using Tomcat, check out: >> >>> >http://tomcat.apache.org/tomcat-5.5-doc/security-manager-howto.html >> >>> > >> >>> >And you should read the Sun docs at: >> >>> >http://java.sun.com/j2se/1.5.0/docs/guide/security/permissions.html >> >>> > >> >>> >WILL >> >>> > >> >>> >On 10/10/06, Robin Mannering <[EMAIL PROTECTED]> wrote: >> >>> >>Hi Will, >> >>> >> >> >>> >>thanks for your help. Sorry. I'm new to permissions, could you >>explain >> >>>a >> >>> >>little more for me please. >> >>> >> >> >>> >>Thanks >> >>> >>Robin >> >>> >> >> >>> >> >> >>> >> >From: "Will Glass-Husain" <[EMAIL PROTECTED]> >> >>> >> >Reply-To: "Velocity Users List" >><velocity-user@jakarta.apache.org> >> >>> >> >To: "Velocity Users List" <velocity-user@jakarta.apache.org> >> >>> >> >Subject: Re: Velocity Config/Security Issue >> >>> >> >Date: Tue, 10 Oct 2006 08:24:57 -0700 >> >>> >> > >> >>> >> >Looks like the security policy on your app server needs to be >>tuned. >> >>> >> >Have you tried giving the permission java.lang.RuntimePermission >>for >> >>> >> >accessClassInPackage.org.apache.catalina.core? >> >>> >> > >> >>> >> >WILL >> >>> >> > >> >>> >> >On 10/10/06, Robin Mannering <[EMAIL PROTECTED]> >>wrote: >> >>> >> >>Hi all, >> >>> >> >> >> >>> >> >>I'm new back on this list in a while, please excuse if the >> >>>following >> >>> >> >>problem >> >>> >> >>is obvious/has been posted before. >> >>> >> >> >> >>> >> >>I am transferring an existing site based on Struts/Velocity to a >> >>>new >> >>> >>web >> >>> >> >>hosting provider. The application runs smoothly on its current >> >>>host. >> >>> >> >> >> >>> >> >>However, there seems to be one last stumbling block with the new >> >>>server >> >>> >>in >> >>> >> >>that the Struts object; 'request' appears not to be in scope >>within >> >>> >> >>velocity >> >>> >> >>pages (there may be others not in scope). >> >>> >> >> >> >>> >> >>I'm using the VelocityLayoutServlet if that helps. >> >>> >> >> >> >>> >> >>I've attached a snippet of the log file that points to the >>problem >> >>>I >> >>> >> >>mentioned, notable the 'java.security.AccessControlException' >>and >> >>> >> >>'$request.contextPath is not a valid reference' >> >>> >> >> >> >>> >> >>All other velocity directives appear to be functioning as >>normal. >> >>> >> >> >> >>> >> >>Has anyone seen this behaviour before? Any help would be greatly >> >>> >> >>appreciated. >> >>> >> >> >> >>> >> >>Kind regards >> >>> >> >>Robin >> >>> >> >> >> >>> >> >>10-Oct 02:45:21.752 |INFO | [/].log >> >>> >> >> | Velocity [info] ResourceManager : found >> >>> >>/pages/frontend/home.vm >> >>> >> >>with loader org.apache.velocity.tools.view.servlet.WebappLoader >> >>> >> >>10-Oct 02:45:21.761 |INFO | [/].log >> >>> >> >> | Velocity [error] PROGRAMMER ERROR : PropertyExector() : >> >>> >> >>java.security.AccessControlException: access denied >> >>> >> >>(java.lang.RuntimePermission >> >>> >> >>accessClassInPackage.org.apache.catalina.core) >> >>> >> >>10-Oct 02:45:21.763 |INFO | [/].log >> >>> >> >> | Velocity [error] ASTIdentifier.execute() : identifier = >> >>> >> >>contextPath >> >>> >> >>: java.security.AccessControlException: access denied >> >>> >> >>(java.lang.RuntimePermission >> >>> >> >>accessClassInPackage.org.apache.catalina.core) >> >>> >> >>10-Oct 02:45:21.764 |INFO | [/].log >> >>> >> >> | Velocity [error] RHS of #set statement is null. Context >> >>>will >> >>> >>not >> >>> >> >>be >> >>> >> >>modified. /pages/frontend/home.vm [line 9, column 1] >> >>> >> >>10-Oct 02:45:21.772 |INFO | [/].log >> >>> >> >> | Velocity [error] PROGRAMMER ERROR : PropertyExector() : >> >>> >> >>java.security.AccessControlException: access denied >> >>> >> >>(java.lang.RuntimePermission >> >>> >> >>accessClassInPackage.org.apache.catalina.core) >> >>> >> >>10-Oct 02:45:21.773 |INFO | [/].log >> >>> >> >> | Velocity [error] ASTIdentifier.execute() : identifier = >> >>> >> >>contextPath >> >>> >> >>: java.security.AccessControlException: access denied >> >>> >> >>(java.lang.RuntimePermission >> >>> >> >>accessClassInPackage.org.apache.catalina.core) >> >>> >> >>10-Oct 02:45:21.774 |INFO | [/].log >> >>> >> >> | Velocity [warn] >> >>> >> >>org.apache.velocity.runtime.exception.ReferenceException: >>reference >> >>>: >> >>> >> >>template = /pages/frontend/home.vm [line 32,column 34] : >> >>> >> >>$request.contextPath is not a valid reference. >> >>> >> >> >> >>> >> >> >>_________________________________________________________________ >> >>> >> >>Windows Live� Messenger has arrived. Click here to download it >>for >> >>> >>free! >> >>> >> >>http://imagine-msn.com/messenger/launch80/?locale=en-gb >> >>> >> >> >> >>> >> >> >> >>> >> >> >>> >> >>--------------------------------------------------------------------- >> >>> >> >>To unsubscribe, e-mail: >> >>>[EMAIL PROTECTED] >> >>> >> >>For additional commands, e-mail: >> >>>[EMAIL PROTECTED] >> >>> >> >> >> >>> >> >> >> >>> >> > >> >>> >> > >> >>> >> >-- >> >>> >> >Forio Business Simulations >> >>> >> > >> >>> >> >Will Glass-Husain >> >>> >> >[EMAIL PROTECTED] >> >>> >> >www.forio.com >> >>> >> > >> >>> >> >> >>> >> >--------------------------------------------------------------------- >> >>> >> >To unsubscribe, e-mail: >>[EMAIL PROTECTED] >> >>> >> >For additional commands, e-mail: >> >>>[EMAIL PROTECTED] >> >>> >> > >> >>> >> >> >>> >>_________________________________________________________________ >> >>> >>Be the first to hear what's new at MSN - sign up to our free >> >>>newsletters! >> >>> >>http://www.msn.co.uk/newsletters >> >>> >> >> >>> >> >> >>> >> >>--------------------------------------------------------------------- >> >>> >>To unsubscribe, e-mail: >>[EMAIL PROTECTED] >> >>> >>For additional commands, e-mail: >>[EMAIL PROTECTED] >> >>> >> >> >>> >> >> >>> > >> >>> > >> >>> >-- >> >>> >Forio Business Simulations >> >>> > >> >>> >Will Glass-Husain >> >>> >[EMAIL PROTECTED] >> >>> >www.forio.com >> >>> > >> >>> >> >--------------------------------------------------------------------- >> >>> >To unsubscribe, e-mail: [EMAIL PROTECTED] >> >>> >For additional commands, e-mail: >>[EMAIL PROTECTED] >> >>> > >> >>> >> >>>_________________________________________________________________ >> >>>Download the new Windows Live Toolbar, including Desktop search! >> >>>http://toolbar.live.com/?mkt=en-gb >> >>> >> >>> >> >>>--------------------------------------------------------------------- >> >>>To unsubscribe, e-mail: [EMAIL PROTECTED] >> >>>For additional commands, e-mail: [EMAIL PROTECTED] >> >>> >> >>> >> >> >> >> >> >>-- >> >>Forio Business Simulations >> >> >> >>Will Glass-Husain >> >>[EMAIL PROTECTED] >> >>www.forio.com >> >> >> >>--------------------------------------------------------------------- >> >>To unsubscribe, e-mail: [EMAIL PROTECTED] >> >>For additional commands, e-mail: [EMAIL PROTECTED] >> >> >> > >> >_________________________________________________________________ >> >Windows Live� Messenger has arrived. Click here to download it for >>free! >> >http://imagine-msn.com/messenger/launch80/?locale=en-gb >> > >> > >> >--------------------------------------------------------------------- >> >To unsubscribe, e-mail: [EMAIL PROTECTED] >> >For additional commands, e-mail: [EMAIL PROTECTED] >> > >> >>_________________________________________________________________ >>Be the first to hear what's new at MSN - sign up to our free newsletters! >>http://www.msn.co.uk/newsletters >> >> >>--------------------------------------------------------------------- >>To unsubscribe, e-mail: [EMAIL PROTECTED] >>For additional commands, e-mail: [EMAIL PROTECTED] >> >> > > >-- >Forio Business Simulations > >Will Glass-Husain >[EMAIL PROTECTED] >www.forio.com _________________________________________________________________ Windows Live� Messenger has arrived. Click here to download it for free! http://imagine-msn.com/messenger/launch80/?locale=en-gb --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
-- Forio Business Simulations Will Glass-Husain [EMAIL PROTECTED] www.forio.com