[jira] Commented: (VELTOOLS-66) Velocity Tools gives access exception with $request reference under Tomcat security manager

Wed, 15 Nov 2006 11:21:59 -0800 

    [ 
http://issues.apache.org/jira/browse/VELTOOLS-66?page=comments#action_12450167 
] 
            
Rainer Jung commented on VELTOOLS-66:
-------------------------------------

Hi,

I debugged the situation a bit using a JSP. The class belonging to e.g. request 
is of type org.apache.catalina.connector.RequestFacade during runtime. Access 
to this class is not allowed with tomcat's default policy file, so 
request.getClass().getMethods() fails.

What you really want to access is the interface 
javax.servlet.http.HttpServletRequest.

The following construction gives the right result. It's a bit clumsy, but at 
least it does the right things:

Object o=request;
interfaceName="javax.servlet.http.HttpServletRequest";

Class clazz=o.getClass();
Class[] interfaceList=clazz.getInterfaces();
int i=0;
while (i<interfaceList.length &&
       ! interfaceList[i].getName().equals(interfaceName)) {
   i++;
}
if ( i<interfaceList.length ) {
   clazz=interfaceList[i];
   Method [] m=clazz.getMethods();
}

I tried the same with

Object o=session;
String interfaceName="javax.servlet.http.HttpSession";

and it works too. So it looks like you need some logic to map the standard 
servlet spec objects to their interface names and then have to search for the 
correct interface class.

Regards,

Rainer

> Velocity Tools gives access exception with $request reference under Tomcat 
> security manager
> -------------------------------------------------------------------------------------------
>
>                 Key: VELTOOLS-66
>                 URL: http://issues.apache.org/jira/browse/VELTOOLS-66
>             Project: VelocityTools
>          Issue Type: New Feature
>          Components: VelocityView
>    Affects Versions: 1.2
>            Reporter: Will Glass-Husain
>
> I'm labeling this as a bug, though it's arguable whether the fault is of 
> Tomcat or Velocity.  Regardless, we should apply a workaround.  I've 
> replicated this issue with Velocity 1.4 / Tools 1.2 / JDK 1.5 / Tomcat 5.5
> The problem.  When the Tomcat is run under the default security manager 
> settings, it prohibits reflection on org.catalina classes.  This means that 
> the reference $request.session.id fails with an access violation
> INFO:  Velocity  [error] PROGRAMMER ERROR : PropertyExector() : 
> java.security.AccessControlException: access denied 
> (java.lang.RuntimePermission 
> accessClassInPackage.org.apache.catalina.connector)
> sometimes the package given is org.apache.catalina.core, somtimes 
> org.apache.catalina.session, depending on various factors.
> Users can alter their security policy to allow this access.  But this is an 
> obscure procedure and may not be feasible if you do not control your hosting 
> environment.  For the record, the settings for catalina.policy are (change 
> the path to suit your webapp)
> grant codeBase 
> "file:${catalina.home}/webapps/simple/WEB-INF/lib/velocity-1.4.jar"
> {
>        permission java.lang.RuntimePermission
> "accessClassInPackage.org.apache.catalina.connector";
>       permission java.lang.RuntimePermission
> "accessClassInPackage.org.apache.catalina.session";
>       permission java.lang.RuntimePermission
> "accessClassInPackage.org.apache.catalina.core";
> };
> grant codeBase 
> "file:${catalina.home}/webapps/simple/WEB-INF/lib/velocity-tools-view-1.2.jar"
> {
>        permission java.lang.RuntimePermission
> "accessClassInPackage.org.apache.catalina.connector";
>        permission java.lang.RuntimePermission
> "accessClassInPackage.org.apache.catalina.session";
>       permission java.lang.RuntimePermission
> "accessClassInPackage.org.apache.catalina.core";
> };
> As an alternative, I propose that the Velocity Tools project solve this by 
> create a wrapper object for HttpServletRequest.  (presumably the problem also 
> exists for $response, though I haven't tried it).  This object would simply 
> pass through all calls to the server-provided HttpServletRequest. Obviously, 
> there would need to be a parallel wrapper for HttpSession, 
> HttpServletContext, and similar objects available from HttpServletRequest 
> methods.  The result would be that the Velocity page would never apply 
> reflection to a Catalina class.  (and hence never generate this security 
> error).
> This issue is in reference to a problem encountered and described on the user 
> list by Robin Mannering.
> http://www.mail-archive.com/[email protected]/msg17060.html

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to