Re: Error starting Velocity 1.7 + Tools 2.0 after upgrading commons-beanutils
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, On 2/4/20 3:33 PM, Christopher Schultz wrote: > I just upgraded an application from commons-beanutils-1.9.3 to > commons-beanutils-1.9.4 that is using Velocity 1.7 and Tools 2.0 > and I'm getting this error on startup: > > Caused by: org.apache.velocity.tools.config.NullKeyException: Key > is null for tool whose class is 'null' at > org.apache.velocity.tools.config.ToolConfiguration.validate(ToolConfig ur > > ation.java:348) I think I've figured this out. The ToolConfiguration class has two sets of properties: public void setClass(Class); // Write-only public void getClassname(String); // Write public String getClassname(); // Read In my tools.xml, I had the following XML: [...] In commons-beanutils up through 1.9.3, it would happily convert the "class" XML attribute into an instance of java.lang.Class representing the Class named in the string, and call setClass(Class) which ... just sets the class name: public void setClass(Class clazz) { setClassname(clazz.getName()); } In commons-beanutils-1.9.4, it doesn't want to allow you to set a Class property anymore. I didn't follow all the code in commons-beanutils all the way down, but I was able to finally see that it wasn't finding "class" as a settable property on the ToolConfiguration class for whatever reason (probably a blacklist of property names). The obvious solution is just to use the "classname" attribute instead of the "class" attribute and everything is fine: [...] And now I get what I'm expecting: FactoryConfiguration from 4 sources with 2 toolboxes: Toolbox 'application' with 1 properties [scope -auto-> application; ] and 15 tools: Tool 'alternator' => org.apache.velocity.tools.generic.AlternatorTool with 1 properties [classname -auto-> org.apache.velocity.tools.generic.AlternatorTool; ] [...] I hope that helps someone else with this same problem, because I was seriously worried about what I was going to do, here :) I'm going to post a message to the users@ list summarizing this just in case it happens to anyone else. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl46/18ACgkQHPApP6U8 pFggDBAAswWW93jo2wV895n/K6uGIlYIQLojgsvUs7/OMUOy2uElaQvlTQqBdLwJ JVue4eEDqbVSKXMPW73Jwisq44YvltiPcNFnQCxJzUKnVZDborvmgLgv3puIeD+y yx16iBL1QUQ5z0aSE7K9TxhLpWpgp5N0/CmQonbGzrIkAnbCimZnuxrUrMKjQ2Ip /oUCrdKKbypjrSbqVwR1K24HoGcA9S+pPPTAaWUEbrgFq5GpbzWFhTwOVinBWa87 8nWSqbE2ilIjPKvWH2IvLCTB59raPAywYp3RBVI2TUaBWWfO94LFuhdI3AgmRgde p42I0ms7Q4fbAAUraHkKqKjaL2F39UcnMXhskqqHrjf08B6YFecto01eOhWuySDG /L22MTp6Hy7W15rcPS5mewU2YaM5p/PXu3NzyiQGqArQ81BaZq31Wwz9kagNneLu 0PNVQWjOeQ/k0mtSuStk/Sc2uYIAhsFWU3B6BnrapomrL474g+AN8rFpFqH6lsOo RQHDBnbcXAx2hOq7VjEUj2HL2PqIYZIsD9c+JZ6k2FdQDeRr0702atHHfgDE9VVo QAaC148exVl3SHgsuLQXVViQSMWfuPqWLiu6eThRnox3HEs/VDqGJEi+DQ5icmP6 dvNlmfdowwT1jrAdhPAbuLgYS18zPofOaLBOUbMV9dCQePf+oVk= =8z81 -END PGP SIGNATURE- - To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org
Re: Error starting Velocity 1.7 + Tools 2.0 after upgrading commons-beanutils
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, On 2/4/20 3:33 PM, Christopher Schultz wrote: > All, > > I just upgraded an application from commons-beanutils-1.9.3 to > commons-beanutils-1.9.4 that is using Velocity 1.7 and Tools 2.0 > and I'm getting this error on startup: > > javax.servlet.ServletException: Servlet.init() for servlet > [velocity] threw exception [...] Caused by: > org.apache.velocity.tools.config.NullKeyException: Key is null for > tool whose class is 'null' at > org.apache.velocity.tools.config.ToolConfiguration.validate(ToolConfig ur > > ation.java:348) > at > org.apache.velocity.tools.config.CompoundConfiguration.validate(Compou nd > > Configuration.java:115) > at > org.apache.velocity.tools.config.ToolboxConfiguration.validate(Toolbox Co > > nfiguration.java:108) > at > org.apache.velocity.tools.config.CompoundConfiguration.validate(Compou nd > > Configuration.java:115) > at > org.apache.velocity.tools.config.FactoryConfiguration.validate(Factory Co > > nfiguration.java:232) > at > org.apache.velocity.tools.ToolboxFactory.configure(ToolboxFactory.java :8 > > 0) > at > org.apache.velocity.tools.ToolManager.configure(ToolManager.java:90) > > at > org.apache.velocity.tools.view.ViewToolManager.configure(ViewToolManag er > > .java:222) > at > org.apache.velocity.tools.view.VelocityView.configure(VelocityView.jav a: > > 508) > at > org.apache.velocity.tools.view.VelocityView.init(VelocityView.java:313 ) > > at > org.apache.velocity.tools.view.VelocityView.(VelocityView.java:2 13 > > ) > at > org.apache.velocity.tools.view.ServletUtils.createView(ServletUtils.ja va > > :156) > at > org.apache.velocity.tools.view.ServletUtils.getVelocityView(ServletUti ls > > .java:142) > at > org.apache.velocity.tools.view.ServletUtils.getVelocityView(ServletUti ls > > .java:104) > at > org.apache.velocity.tools.view.VelocityViewServlet.getVelocityView(Vel oc > > ityViewServlet.java:155) > at > org.apache.velocity.tools.view.VelocityViewServlet.init(VelocityViewSe rv > > let.java:122) > at > org.apache.velocity.tools.view.VelocityLayoutServlet.init(VelocityLayo ut > > Servlet.java:133) > at > org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.j av > > a:1142) > ... 89 more > > > I don't believe I've changed my tools.xml file for a long time > (svn says no). The changelog for commons-beanutils says their > change is to fix CVE-2014-0114 / CVE-2019-10086 which has to do > with whether or not a "class" may be specified under certain > conditions. > > I haven't (yet) looked at the code, but is it possible that this > upgrade has broken Velocity Tools 2.0? I realize this is a > somewhat older release; upgrading will take some time, patching is > the preferred source of action at the moment. On startup, I get this message before Bad Things happen: 2020-02-05 10:58:10,737 [main] DEBUG org.apache.velocity.generic- Configuring factory with: FactoryConfiguration from 4 sources with 2 toolboxes: Toolbox 'application' with 1 properties [scope -auto-> application; ] and 12 tools: Tool 'null' => null Tool 'JSONUtil' => null with 1 properties [key -auto-> JSONUtil; ] Tool 'dateFormat' => null with 1 properties [key -auto-> dateFormat; ] Tool 'escape' => null with 1 properties [key -auto-> escape; ] Tool 'floatMath' => null with 1 properties [key -auto-> floatMath; ] Tool 'list' => null with 1 properties [key -auto-> list; ] Tool 'modernEscape' => null with 1 properties [key -auto-> modernEscape; ] Tool 'resource' => null with 1 properties [key -auto-> resource; ] So two things are happening, here: 1. Any tool without an explicit "key" is being set to key=null 2. No class names are being loaded AT ALL With commons-beanutils-1.9.3, the output is a little different: 2020-02-05 15:41:49,901 [localhost-startStop-1] DEBUG org.apache.velocity.generic- Configuring factory with: FactoryConfiguration from 4 sources with 2 toolboxes: Toolbox 'application' with 1 properties [scope -auto-> application; ] and 14 tools: Tool 'JSONUtil' => org.noggit.JSONUtil with 1 properties [key - -auto-> JSONUtil; ] Tool 'alternator' => org.apache.velocity.tools.generic.AlternatorTool Tool 'class' => org.apache.velocity.tools.generic.ClassTool Tool 'dateFormat' => org.apache.velocity.tools.generic.DateTool with 1 properties [key -auto-> dateFormat; ] Tool 'escape' => org.apache.velocity.tools.generic.EscapeTool with 1 properties [key -auto-> escape; ] Tool 'floatMath' => org.apache.velocity.tools.generic.MathTool with 1 properties [key -auto-> floatMath; ] Tool 'list' => org.apache.velocity.tools.generic.ListTool with 1 properties [key -auto-> list; ] Tool 'modernEscape' => org.apache.commons.text.StringEscapeUtils with 1 properties [key -auto-> modernEscape; ] Tool 'resource' => org.apache.velocity.tools.generic.ResourceTool with 1 properties [key -auto-> resource; ] Tool 'sorter' => org.apache.velocity.tools.generic.SortTool I'm still
Error starting Velocity 1.7 + Tools 2.0 after upgrading commons-beanutils
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, I just upgraded an application from commons-beanutils-1.9.3 to commons-beanutils-1.9.4 that is using Velocity 1.7 and Tools 2.0 and I'm getting this error on startup: javax.servlet.ServletException: Servlet.init() for servlet [velocity] threw exception [...] Caused by: org.apache.velocity.tools.config.NullKeyException: Key is null for tool whose class is 'null' at org.apache.velocity.tools.config.ToolConfiguration.validate(ToolConfigur ation.java:348) at org.apache.velocity.tools.config.CompoundConfiguration.validate(Compound Configuration.java:115) at org.apache.velocity.tools.config.ToolboxConfiguration.validate(ToolboxCo nfiguration.java:108) at org.apache.velocity.tools.config.CompoundConfiguration.validate(Compound Configuration.java:115) at org.apache.velocity.tools.config.FactoryConfiguration.validate(FactoryCo nfiguration.java:232) at org.apache.velocity.tools.ToolboxFactory.configure(ToolboxFactory.java:8 0) at org.apache.velocity.tools.ToolManager.configure(ToolManager.java:90) at org.apache.velocity.tools.view.ViewToolManager.configure(ViewToolManager .java:222) at org.apache.velocity.tools.view.VelocityView.configure(VelocityView.java: 508) at org.apache.velocity.tools.view.VelocityView.init(VelocityView.java:313) at org.apache.velocity.tools.view.VelocityView.(VelocityView.java:213 ) at org.apache.velocity.tools.view.ServletUtils.createView(ServletUtils.java :156) at org.apache.velocity.tools.view.ServletUtils.getVelocityView(ServletUtils .java:142) at org.apache.velocity.tools.view.ServletUtils.getVelocityView(ServletUtils .java:104) at org.apache.velocity.tools.view.VelocityViewServlet.getVelocityView(Veloc ityViewServlet.java:155) at org.apache.velocity.tools.view.VelocityViewServlet.init(VelocityViewServ let.java:122) at org.apache.velocity.tools.view.VelocityLayoutServlet.init(VelocityLayout Servlet.java:133) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.jav a:1142) ... 89 more I don't believe I've changed my tools.xml file for a long time (svn says no). The changelog for commons-beanutils says their change is to fix CVE-2014-0114 / CVE-2019-10086 which has to do with whether or not a "class" may be specified under certain conditions. I haven't (yet) looked at the code, but is it possible that this upgrade has broken Velocity Tools 2.0? I realize this is a somewhat older release; upgrading will take some time, patching is the preferred source of action at the moment. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl451RYACgkQHPApP6U8 pFh8bg/+IvYBoK+cQCp+Zxw8obleefonlHsJOjtCK/DIkvC1hbtLX27xURkmCQ3r pOI9lsEv3L1GYAN2GF090FWjDj3QFiE2m5HD9pHtscpCKoDqBXVgE/JanHYiQn5b +B9v/eSYQzhlRULlPFTSBHv5W0C8yGk/RYr4eI2uIECWcPRMpVN11mkBFOsUqcrK nP6bOlKDszS40V9JSeqmv8qELsu23q19M7nT7ECGsGxMqcy1Jc4TDECgfL9odaFZ 8u3FaVrWSXrmCRXLqBTlMtO2xoD5mq1OuRePKFShtbsUnFvG38cjbAwy5Yq++Uxl /7d2TkBLq2yKu+vrFPjmrc5mSrH0lT1Er7GjogFI5ywiRGrLjvC0N/PZAqmqqVQl hyY7KA5DmKyFB6eIgiKFg1PZVF69UmRyyl1aMwVYKt/R1d/B0/yvM/fuYJdPiGo3 sWn3S5alxckqug7gN9btMnayd5e4Sfrj4WhTFwS5VDc6Gj7LfMNwgsKVxh9kVCKe PwHH/QPBNLK1ad5yI1yztS8N4nw2TXUKno8PamPxnZmMEjfzCXD7Av4O+5dqiNaH Q+9YDDPBdwPZlJxcHklsLIl3v2AmNrijy2zIVUE6u8wUH7iNx9QHvx5PvpkMuVO5 gN2xEtYWHJgmSmt5U25oVbFjMYbVBDECkiRbdRLvyL4f9DQ32oI= =YRv4 -END PGP SIGNATURE- - To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org