Hi, I think I have found the cause!
My application code contains the following:- FacesContext fc = FacesContext.getCurrentInstance(); ExpressionFactory ef = fc.getApplication().getExpressionFactory(); ELContext elc = fc.getELContext(); ValueExpression ve = ef.createValueExpression(elc, expr, clazz); Object result = ve.getValue(elc); The implementation of javax.el.ValueExpression is org.apache.jasper.el. JspValueExpression which is in the org.apache.jasper.el package. Access to this package is prevented by default by the catalina.properties file! Hurrah, problem resolved! However I still need somebody "official" to confirm this - as my hosting company wants some official statement. I will cross-post to the developer mailing list (so sorry to those affected) in case this is more of a development issue. Can anybody confirm and provide an "official" statement about the programmatic use of EL and security settings? Thanks, Mike On 24/06/2008, Michael Anstis <[EMAIL PROTECTED]> wrote: > > Hi, > > Firstly, sorry for the long stack traces in here but I included the lot > incase what I discount somebody else picks up on. > > Anyway, when trying to use JSF 1.2-b20-FCS on Tomcat 6.0 with Java 2 > Security Manager enabled I receive the below. > > This can be replicated by creating a new WAR and simply adding jsf-api.jar > and jsf-impl.jar to the WEB-INF\lib folder on a vanila install of Tomcat > 6.0. > > SEVERE: Exception sending context initialized event to listener instance of > *class* com.sun.faces.config.GlassFishConfigureListener > java.security.AccessControlException: access denied > (java.lang.RuntimePermission accessClassInPackage.org.apache.jasper.el) > at > java.security.AccessControlContext.checkPermission(AccessControlContext.java:264) > at > java.security.AccessController.checkPermission(AccessController.java:427) > at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) > at > java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1512) > at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:265) > at java.lang.ClassLoader.loadClass(ClassLoader.java:299) > at java.lang.ClassLoader.loadClass(ClassLoader.java:251) > at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:319) > at > org.apache.jasper.runtime.JspFactoryImpl.getJspApplicationContext(JspFactoryImpl.java:200) > at > com.sun.faces.config.ConfigureListener.registerELResolverAndListenerWithJsp(ConfigureListener.java:1874) > at > com.sun.faces.config.ConfigureListener.contextInitialized(ConfigureListener.java:546) > at > com.sun.faces.config.GlassFishConfigureListener.contextInitialized(GlassFishConfigureListener.java:47) > at > org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3830) > at > org.apache.catalina.core.StandardContext.start(StandardContext.java:4337) > at > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791) > at > org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:123) > at > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) > at java.security.AccessController.doPrivileged(Native Method) > at > org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:769) > at > org.apache.catalina.core.StandardHost.addChild(StandardHost.java:525) > at > org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:626) > at > org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:511) > at org.apache.catalina.startup.HostConfig.check(HostConfig.java:1220) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) > at java.lang.reflect.Method.invoke(Method.java:585) > at > org.apache.tomcat.util.modeler.BaseModelMBean.invoke(BaseModelMBean.java:297) > at > com.sun.jmx.mbeanserver.DynamicMetaDataImpl.invoke(DynamicMetaDataImpl.java:213) > at com.sun.jmx.mbeanserver.MetaDataImpl.invoke(MetaDataImpl.java:220) > at > com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:815) > at > com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:784) > at > org.apache.catalina.manager.ManagerServlet.check(ManagerServlet.java:1458) > at > org.apache.catalina.manager.ManagerServlet.deploy(ManagerServlet.java:820) > at > org.apache.catalina.manager.ManagerServlet.doGet(ManagerServlet.java:348) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:690) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) > at java.lang.reflect.Method.invoke(Method.java:585) > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:244) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAsPrivileged(Subject.java:517) > at > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:276) > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:162) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:283) > at > org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:56) > at > org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:189) > at java.security.AccessController.doPrivileged(Native Method) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:185) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:525) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:263) > at > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) > at > org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:584) > at > org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) > at java.lang.Thread.run(Thread.java:595) > > > If I was hosting the affected application on my own server or it was simply > a development issue I would simply grant the permission (indeed I do this > whilst developing) however the company I use to host the application only > provides a shared Tomcat instance (it is cheap) and are understandably > reluctant to grant the permission without it being officially confirmed as a > requirement. > > Can anybody confirm that JSF RI under Tomcat 6.0 needs the permission > granted? > > Thanks, > > Mike >
