Hello!

Thanks for all help guys!

 

The permissions worked perfectly, really interesting.

 

I then guess that you agree with me that if it is possible (if you got 
permissions to add permissions) to set the permissions like this instead of the 
OgnlRuntime.setSecurityManager(null);


Do you agree with me?

Best regards

Fredrik

  

 

> From: lukaszlen...@apache.org
> Date: Tue, 26 Nov 2013 22:35:53 +0100
> Subject: Re: Will I get sideeffects with: 
> OgnlRuntime.setSecurityManager(null);
> To: user@struts.apache.org
> 
> This should help [1] and you must add these (I cannot find the correct
> link with exact example for Struts2)
> 
> permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
> permission java.lang.RuntimePermission "*";
> permission ognl.OgnlInvokePermission "*";
> 
> [1] 
> https://confluence.atlassian.com/display/CONF29/Java+Policy+Security+with+Confluence
> 
> 
> Regards
> 
> -- 
> Ɓukasz
> + 48 606 323 122 http://www.lenart.org.pl/
> 
> 
> 2013/11/26 Fredrik Andersson <fredan...@hotmail.com>:
> > Hello!
> >
> > (Hope this is the correct forum for this question)
> >
> >
> >
> > I get this error in my hello-world-struts2-webapp when I run it in my 
> > tomcat with the catalina.policy.
> >
> > (Btw my catalina.policy is edited a bit to match my production env: 
> > http://pastie.org/8510824)
> >
> >
> >
> > /-- Encapsulated exception ------------\
> > java.lang.IllegalAccessException: Method [public void 
> > se.mycompany.web.actions.WelcomeUserAction.setUsername(java.lang.String)] 
> > cannot be accessed.
> > at ognl.OgnlRuntime.invokeMethod(OgnlRuntime.java:838)
> > at ognl.OgnlRuntime.callAppropriateMethod(OgnlRuntime.java:1280)
> >
> >
> >
> >
> > I found this solution:
> >
> > https://groups.google.com/forum/#!msg/google-appengine-java/GQGLAxfyeBc/1NIfi8duNCEJ
> >
> >
> >
> > It suggest that a listener does:
> >
> > OgnlRuntime.setSecurityManager(null);
> >
> >
> >
> > In the doc for OgnlRuntime it says:
> >
> > Sets the SecurityManager that OGNL uses to determine permissions for 
> > invoking methods.
> >
> >
> >
> > But is this really a correct solution to set it to null?
> >
> > To me it doesn't sound good to have the securitymanager set to null, what 
> > security holes does that create?
> >
> >
> >
> > Could this be solved with some extra grants in the catalina.policy-file 
> > instead?
> >
> >
> >
> >
> >
> > Best regards
> >
> > Fredrik
> >
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> For additional commands, e-mail: user-h...@struts.apache.org
> 
                                          

Reply via email to