Re: Velocity Config/Security Issue

Fri, 13 Oct 2006 02:35:05 -0700 

Hi Will,
Originally, any request to the $request object were just being ignored (or were throwing security exceptions). So the Velocity page just output $request into the HTML. 


He then granted permission on the below package uisng the security manager 
and the request object was then 'working' although it was putting out the 
incorrect values.  The exceptions in the log then disappeared.



Then, he ran the application without the Security manager and the $request 
object had expected values for methods such $request.contextPath and 
$request.session.id and everything worked fine.



I'm unfamiliar with Security Managers, shall I ask him to apply just this 
one? (This has no reference to Velocity classes does it?)


java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.core


As an extra, do you know of a hosting company that has established clients 
using Velocity?  I might do well to move somewhere with direct experience of 
hosting with velocity.


Thanks for all your help
Robin



From: "Will Glass-Husain" <[EMAIL PROTECTED]>
Reply-To: "Velocity Users List" <[email protected]>
To: "Velocity Users List" <[email protected]>
Subject: Re: Velocity Config/Security Issue
Date: Fri, 13 Oct 2006 01:13:12 -0700

Robin,

Haven't yet checked this out.

But your IT manager says "have to do more testing to see which
security grant it needs".  Actually, your error log shows this
clearly.  You need

java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.core

WILL

On 10/12/06, Robin Mannering <[EMAIL PROTECTED]> wrote:

Hi Will,

Thanks for your help, let me know if there is anything I can do.

I have a fear my hosting provider cannot commit the resources to solving
this problem anytime soon.

Thanks
Robin


>From: "Will Glass-Husain" <[EMAIL PROTECTED]>
>Reply-To: "Velocity Users List" <[email protected]>
>To: "Velocity Users List" <[email protected]>
>Subject: Re: Velocity Config/Security Issue
>Date: Thu, 12 Oct 2006 04:59:38 -0700
>
>I'll play around with this.  Might be a day or so.
>
>On 10/11/06, Robin Mannering <[EMAIL PROTECTED]> wrote:
>>
>>Hi,
>>
>>Sorry I forgot the velocity version: Velocity 1.4
>>
>> >From: "Will Glass-Husain" <[EMAIL PROTECTED]>
>> >Reply-To: "Velocity Users List" <[email protected]>
>> >To: "Velocity Users List" <[email protected]>
>> >Subject: Re: Velocity Config/Security Issue
>> >Date: Wed, 11 Oct 2006 15:54:51 -0700
>> >
>> >One more question.  What's your platform
>> >-- version of Tomcat
>> >-- version of JDK
>> >-- Win, Linux, etc?
>> >
>> >(and to repeat the last email for redundancy)
>> >-- VelocityServlet or VelocityViewServlet (with version)
>> >
>> >I run an instance of Tomcat with a security policy.  I've found
>> >numerous inconsistencies even within Tomcat that require security
>> >permissions to be opened up.  (There was a bug with the 4.1.x series
>> >for example for which I had to open up something similar).
>> >
>> >I tend to think you've hit a Tomcat bug triggered by the way Velocity
>> >accesses the request object.  Send the info back and we can dig into
>> >this.
>> >
>> >WILL
>> >
>> >On 10/11/06, Robin Mannering <[EMAIL PROTECTED]> wrote:
>> >>Sorry, some more logging that might make it clearer.
>> >>
>> >>My local machine uses request objects:
>> >>[EMAIL PROTECTED]
>> >>and
>> >>[EMAIL PROTECTED]
>> >>
>> >>Whereas the hosted server with the problem uses:
>> >>[EMAIL PROTECTED]
>> >>and
>> >>[EMAIL PROTECTED]
>> >>
>> >>
>> >>
>> >>Log 1 - From action class running on hosted server
>> >>--------------------------------------------------
>> >>11-Oct 17:52:49.647 |DEBUG|                TestAction.executeLogic

>> >>     | request = 
'[EMAIL PROTECTED]'

>> >>11-Oct 17:52:49.648 |DEBUG|                TestAction.executeLogic
>> >>     | request.getContextPath() = ''
>> >>11-Oct 17:52:49.648 |DEBUG|                TestAction.executeLogic
>> >>     | request.getMethod() = 'GET'
>> >>11-Oct 17:52:49.649 |DEBUG|                TestAction.executeLogic
>> >>     | request.getSession().getId() =
>>'28536F4542A222DC6F0E6DE23442DC6D'
>> >>11-Oct 17:52:49.650 |DEBUG|                TestAction.executeLogic
>> >>     | request.getRequestURI() = '/test.htm'
>> >>11-Oct 17:52:49.650 |DEBUG|                TestAction.executeLogic
>> >>     | request.getRequestURL() =
>>'http://www.chaletexplorer.com/test.htm'
>> >>11-Oct 17:52:49.651 |DEBUG|                TestAction.executeLogic
>> >>     | request.getServletPath() = '/test.htm'
>> >>
>> >>
>> >>Log 2 - From VM Template/page running on hosted server
>> >>------------------------------------------------------
>> >>request = '[EMAIL PROTECTED]'
>> >>request.contextPath = '/'
>> >>request.method = 'GET'
>> >>request.session.id = '$request.session.id'
>> >>request.requestURI = '//test.vm'
>> >>request.requestURL = 'http://www.chaletexplorer.com//test.vm'
>> >>request.servletPath = '/test.vm'
>> >>
>> >>
>> >>Log 3 - From action class (running on my local machine)
>> >>-------------------------------------------------------
>> >>
>> >>12-Oct 00:10:17.516 |DEBUG|                TestAction.executeLogic
>> >>     | request =
>>'[EMAIL PROTECTED]'
>> >>12-Oct 00:10:17.516 |DEBUG|                TestAction.executeLogic
>> >>     | request.getContextPath() = '/indy'
>> >>12-Oct 00:10:17.516 |DEBUG|                TestAction.executeLogic
>> >>     | request.getMethod() = 'GET'
>> >>12-Oct 00:10:17.516 |DEBUG|                TestAction.executeLogic
>> >>     | request.getSession().getId() =
>>'79E50B9B3F25A2897BF420521952D51F'
>> >>12-Oct 00:10:17.516 |DEBUG|                TestAction.executeLogic
>> >>     | request.getRequestURI() = '/indy/test.htm'
>> >>12-Oct 00:10:17.532 |DEBUG|                TestAction.executeLogic

>> >>     | request.getRequestURL() = 
'http://localhost:8080/indy/test.htm'

>> >>12-Oct 00:10:17.532 |DEBUG|                TestAction.executeLogic
>> >>     | request.getServletPath() = '/test.htm'
>> >>
>> >>
>> >>Log 4 - From VM Template/page (running on my local machine)
>> >>-----------------------------------------------------------
>> >>request = '[EMAIL PROTECTED]'
>> >>request.contextPath = '/indy'
>> >>request.method = 'GET'
>> >>request.session.id = '79E50B9B3F25A2897BF420521952D51F'
>> >>request.requestURI = '/indy/test.vm'
>> >>request.requestURL = 'http://localhost:8080/indy/test.htm'
>> >>request.servletPath = '/test.vm'
>> >>
>> >>
>> >>
>> >>--------------------------------------------------
>> >>
>> >>
>> >> >From: "Robin Mannering" <[EMAIL PROTECTED]>
>> >> >Reply-To: "Velocity Users List" <[email protected]>
>> >> >To: [email protected]
>> >> >Subject: Re: Velocity Config/Security Issue
>> >> >Date: Wed, 11 Oct 2006 22:08:29 +0000
>> >> >
>> >> >Hi all,
>> >> >
>> >> >Can anyone shed some light? I have some more facts now....
>> >> >
>> >> >The original problem was Velocity required permission on a core
>>package
>> >> >within catalina. Is this because it couldn't find the 'correct'
>>request
>> >> >object.
>> >> >
>> >> >Here are some logs, the first is from a Struts action class,  the
>>second
>> >>is

>> >> >output from the velocity template forwarded to immediately after 
the

>> >>action

>> >> >class.  They refer to different request objects that ultimately 
give

>> >> >different values. Should the velocity template not also refer to
>> >> >[EMAIL PROTECTED] ??
>> >> >
>> >> >Any help/clues would be greatly appreciated.
>> >> >
>> >> >Log 1 - From action class
>> >> >----------------------------------
>> >> >11-Oct 17:52:49.647 |DEBUG|                TestAction.executeLogic
>> >> >     | request =
>>'[EMAIL PROTECTED]'
>> >> >11-Oct 17:52:49.648 |DEBUG|                TestAction.executeLogic
>> >> >     | request.getContextPath() = ''
>> >> >11-Oct 17:52:49.648 |DEBUG|                TestAction.executeLogic
>> >> >     | request.getMethod() = 'GET'
>> >> >11-Oct 17:52:49.649 |DEBUG|                TestAction.executeLogic
>> >> >     | request.getSession().getId() =
>>'28536F4542A222DC6F0E6DE23442DC6D'
>> >> >11-Oct 17:52:49.650 |DEBUG|                TestAction.executeLogic
>> >> >     | request.getRequestURI() = '/test.htm'
>> >> >11-Oct 17:52:49.650 |DEBUG|                TestAction.executeLogic
>> >> >     | request.getRequestURL() =
>> >>'http://www.chaletexplorer.com/test.htm'
>> >> >11-Oct 17:52:49.651 |DEBUG|                TestAction.executeLogic
>> >> >     | request.getServletPath() = '/test.htm'
>> >> >
>> >> >Log 2 - From VM Template/page
>> >> >-----------------------------
>> >> >request = '[EMAIL PROTECTED]'
>> >> >
>> >> >request.contextPath = '/'
>> >> >
>> >> >request.method = 'GET'
>> >> >
>> >> >request.session.id = '$request.session.id'
>> >> >
>> >> >request.requestURI = '//test.vm'
>> >> >
>> >> >request.requestURL = 'http://www.chaletexplorer.com//test.vm'
>> >> >
>> >> >request.servletPath = '/test.vm'
>> >> >
>> >> >
>> >> >
>> >> >
>> >> >
>> >> >
>> >> >
>> >> >>From: "Will Glass-Husain" <[EMAIL PROTECTED]>

>> >> >>Reply-To: "Velocity Users List" 
<[email protected]>

>> >> >>To: "Velocity Users List" <[email protected]>
>> >> >>Subject: Re: Velocity Config/Security Issue
>> >> >>Date: Wed, 11 Oct 2006 06:25:35 -0700
>> >> >>
>> >> >>I don't think it's Velocity which requires that permission, I'm
>> >> >>guessing it's the request object which is ultimately provided by
>> >> >>Tomcat...
>> >> >>
>> >> >>WILL
>> >> >>

>> >> >>On 10/11/06, Robin Mannering <[EMAIL PROTECTED]> 
wrote:

>> >> >>>Hi Will,
>> >> >>>
>> >> >>>Thanks for the links, I'll give them a thorough read.
>> >> >>>
>> >> >>>I've been working with the hosting company who set up the server
>> >>config
>> >> >>>and
>> >> >>>they have give the application permission to
>>org.apache.catalina.core
>> >> >>>although they are troubled to do so.
>> >> >>>
>> >> >>>They seem very surprised that velocity requires this permission.
>> >> >>>

>> >> >>>Since they granted the permission, the problem has cleared up 
and

>> >> >>>$request.contextPath now has a value within a velocity template
>> >>(although
>> >> >>>this has changed from an empty value to '/' so I need to make
>>source

>> >> >>>amendments.  Not a problem, just worrying it takes on a new 
value

>>in a
>> >> >>>different hosting environment.
>> >> >>>
>> >> >>>Thanks again for your help
>> >> >>>Robin
>> >> >>>
>> >> >>>
>> >> >>> >From: "Will Glass-Husain" <[EMAIL PROTECTED]>
>> >> >>> >Reply-To: "Velocity Users List"
>><[email protected]>
>> >> >>> >To: "Velocity Users List" <[email protected]>
>> >> >>> >Subject: Re: Velocity Config/Security Issue
>> >> >>> >Date: Tue, 10 Oct 2006 15:04:32 -0700
>> >> >>> >
>> >> >>> >What app server are you using?  This is a server configuration
>> >>issue.

>> >> >>> >If someone else set it up, you might also want to work with 
them.

>> >> >>> >
>> >> >>> >If you're using Tomcat, check out:
>> >> >>>
>> >http://tomcat.apache.org/tomcat-5.5-doc/security-manager-howto.html
>> >> >>> >
>> >> >>> >And you should read the Sun docs at:
>> >> >>>
>> >http://java.sun.com/j2se/1.5.0/docs/guide/security/permissions.html
>> >> >>> >
>> >> >>> >WILL
>> >> >>> >
>> >> >>> >On 10/10/06, Robin Mannering <[EMAIL PROTECTED]>
>>wrote:
>> >> >>> >>Hi Will,
>> >> >>> >>

>> >> >>> >>thanks for your help. Sorry. I'm new to permissions, could 
you

>> >>explain
>> >> >>>a
>> >> >>> >>little more for me please.
>> >> >>> >>
>> >> >>> >>Thanks
>> >> >>> >>Robin
>> >> >>> >>
>> >> >>> >>
>> >> >>> >> >From: "Will Glass-Husain" <[EMAIL PROTECTED]>
>> >> >>> >> >Reply-To: "Velocity Users List"
>> >><[email protected]>

>> >> >>> >> >To: "Velocity Users List" 
<[email protected]>

>> >> >>> >> >Subject: Re: Velocity Config/Security Issue
>> >> >>> >> >Date: Tue, 10 Oct 2006 08:24:57 -0700
>> >> >>> >> >

>> >> >>> >> >Looks like the security policy on your app server needs to 
be

>> >>tuned.
>> >> >>> >> >Have you tried giving the permission
>>java.lang.RuntimePermission
>> >>for
>> >> >>> >> >accessClassInPackage.org.apache.catalina.core?
>> >> >>> >> >
>> >> >>> >> >WILL
>> >> >>> >> >

>> >> >>> >> >On 10/10/06, Robin Mannering 
<[EMAIL PROTECTED]>

>> >>wrote:
>> >> >>> >> >>Hi all,
>> >> >>> >> >>
>> >> >>> >> >>I'm new back on this list in a while, please excuse if the
>> >> >>>following
>> >> >>> >> >>problem
>> >> >>> >> >>is obvious/has been posted before.
>> >> >>> >> >>

>> >> >>> >> >>I am transferring an existing site based on 
Struts/Velocity

>>to a
>> >> >>>new
>> >> >>> >>web
>> >> >>> >> >>hosting provider.  The application runs smoothly on its
>>current
>> >> >>>host.
>> >> >>> >> >>

>> >> >>> >> >>However, there seems to be one last stumbling block with 
the

>>new
>> >> >>>server
>> >> >>> >>in

>> >> >>> >> >>that the Struts object; 'request' appears not to be in 
scope

>> >>within
>> >> >>> >> >>velocity
>> >> >>> >> >>pages (there may be others not in scope).
>> >> >>> >> >>
>> >> >>> >> >>I'm using the VelocityLayoutServlet if that helps.
>> >> >>> >> >>
>> >> >>> >> >>I've attached a snippet of the log file that points to the
>> >>problem
>> >> >>>I

>> >> >>> >> >>mentioned, notable the 
'java.security.AccessControlException'

>> >>and
>> >> >>> >> >>'$request.contextPath is not a valid reference'
>> >> >>> >> >>
>> >> >>> >> >>All other velocity directives appear to be functioning as
>> >>normal.
>> >> >>> >> >>
>> >> >>> >> >>Has anyone seen this behaviour before? Any help would be
>>greatly
>> >> >>> >> >>appreciated.
>> >> >>> >> >>
>> >> >>> >> >>Kind regards
>> >> >>> >> >>Robin
>> >> >>> >> >>
>> >> >>> >> >>10-Oct 02:45:21.752 |INFO |                       [/].log
>> >> >>> >> >>     |  Velocity   [info] ResourceManager : found
>> >> >>> >>/pages/frontend/home.vm
>> >> >>> >> >>with loader
>>org.apache.velocity.tools.view.servlet.WebappLoader
>> >> >>> >> >>10-Oct 02:45:21.761 |INFO |                       [/].log
>> >> >>> >> >>     |  Velocity  [error] PROGRAMMER ERROR :
>>PropertyExector() :
>> >> >>> >> >>java.security.AccessControlException: access denied
>> >> >>> >> >>(java.lang.RuntimePermission
>> >> >>> >> >>accessClassInPackage.org.apache.catalina.core)
>> >> >>> >> >>10-Oct 02:45:21.763 |INFO |                       [/].log
>> >> >>> >> >>     |  Velocity  [error] ASTIdentifier.execute() :
>>identifier =
>> >> >>> >> >>contextPath
>> >> >>> >> >>: java.security.AccessControlException: access denied
>> >> >>> >> >>(java.lang.RuntimePermission
>> >> >>> >> >>accessClassInPackage.org.apache.catalina.core)
>> >> >>> >> >>10-Oct 02:45:21.764 |INFO |                       [/].log
>> >> >>> >> >>     |  Velocity  [error] RHS of #set statement is null.
>>Context
>> >> >>>will
>> >> >>> >>not
>> >> >>> >> >>be
>> >> >>> >> >>modified. /pages/frontend/home.vm [line 9, column 1]
>> >> >>> >> >>10-Oct 02:45:21.772 |INFO |                       [/].log
>> >> >>> >> >>     |  Velocity  [error] PROGRAMMER ERROR :
>>PropertyExector() :
>> >> >>> >> >>java.security.AccessControlException: access denied
>> >> >>> >> >>(java.lang.RuntimePermission
>> >> >>> >> >>accessClassInPackage.org.apache.catalina.core)
>> >> >>> >> >>10-Oct 02:45:21.773 |INFO |                       [/].log
>> >> >>> >> >>     |  Velocity  [error] ASTIdentifier.execute() :
>>identifier =
>> >> >>> >> >>contextPath
>> >> >>> >> >>: java.security.AccessControlException: access denied
>> >> >>> >> >>(java.lang.RuntimePermission
>> >> >>> >> >>accessClassInPackage.org.apache.catalina.core)
>> >> >>> >> >>10-Oct 02:45:21.774 |INFO |                       [/].log
>> >> >>> >> >>     |  Velocity   [warn]
>> >> >>> >> >>org.apache.velocity.runtime.exception.ReferenceException:
>> >>reference
>> >> >>>:
>> >> >>> >> >>template = /pages/frontend/home.vm [line 32,column 34] :
>> >> >>> >> >>$request.contextPath is not a valid reference.
>> >> >>> >> >>
>> >> >>> >>
>> >> >>_________________________________________________________________

>> >> >>> >> >>Windows Live� Messenger has arrived. Click here to 
download

>>it
>> >>for
>> >> >>> >>free!
>> >> >>> >> >>http://imagine-msn.com/messenger/launch80/?locale=en-gb
>> >> >>> >> >>
>> >> >>> >> >>
>> >> >>> >>
>> >> >>>
>> >>

>> 
>>---------------------------------------------------------------------

>> >> >>> >> >>To unsubscribe, e-mail:
>> >> >>>[EMAIL PROTECTED]
>> >> >>> >> >>For additional commands, e-mail:
>> >> >>>[EMAIL PROTECTED]
>> >> >>> >> >>
>> >> >>> >> >>
>> >> >>> >> >
>> >> >>> >> >
>> >> >>> >> >--
>> >> >>> >> >Forio Business Simulations
>> >> >>> >> >
>> >> >>> >> >Will Glass-Husain
>> >> >>> >> >[EMAIL PROTECTED]
>> >> >>> >> >www.forio.com
>> >> >>> >> >
>> >> >>> >>
>> >> >>>

>> >> 
>---------------------------------------------------------------------

>> >> >>> >> >To unsubscribe, e-mail:
>> >>[EMAIL PROTECTED]
>> >> >>> >> >For additional commands, e-mail:
>> >> >>>[EMAIL PROTECTED]
>> >> >>> >> >
>> >> >>> >>
>> >> >>>
>> >>_________________________________________________________________
>> >> >>> >>Be the first to hear what's new at MSN - sign up to our free
>> >> >>>newsletters!
>> >> >>> >>http://www.msn.co.uk/newsletters
>> >> >>> >>
>> >> >>> >>
>> >> >>>
>> >>

>> 
>>---------------------------------------------------------------------

>> >> >>> >>To unsubscribe, e-mail:
>> >>[EMAIL PROTECTED]
>> >> >>> >>For additional commands, e-mail:
>> >>[EMAIL PROTECTED]
>> >> >>> >>
>> >> >>> >>
>> >> >>> >
>> >> >>> >
>> >> >>> >--
>> >> >>> >Forio Business Simulations
>> >> >>> >
>> >> >>> >Will Glass-Husain
>> >> >>> >[EMAIL PROTECTED]
>> >> >>> >www.forio.com
>> >> >>> >
>> >> >>>

>> >> 
>---------------------------------------------------------------------

>> >> >>> >To unsubscribe, e-mail:
>>[EMAIL PROTECTED]
>> >> >>> >For additional commands, e-mail:
>> >>[EMAIL PROTECTED]
>> >> >>> >
>> >> >>>

>> >> 
>>>_________________________________________________________________

>> >> >>>Download the new Windows Live Toolbar, including Desktop search!
>> >> >>>http://toolbar.live.com/?mkt=en-gb
>> >> >>>
>> >> >>>
>> >>

>> 
>>>---------------------------------------------------------------------

>> >> >>>To unsubscribe, e-mail:
>>[EMAIL PROTECTED]
>> >> >>>For additional commands, e-mail:
>>[EMAIL PROTECTED]
>> >> >>>
>> >> >>>
>> >> >>
>> >> >>
>> >> >>--
>> >> >>Forio Business Simulations
>> >> >>
>> >> >>Will Glass-Husain
>> >> >>[EMAIL PROTECTED]
>> >> >>www.forio.com
>> >> >>
>> >>

>> 
>>---------------------------------------------------------------------
>> >> >>To unsubscribe, e-mail: 
[EMAIL PROTECTED]

>> >> >>For additional commands, e-mail:
>>[EMAIL PROTECTED]
>> >> >>
>> >> >
>> >> >_________________________________________________________________

>> >> >Windows Live� Messenger has arrived. Click here to download it 
for

>> >>free!
>> >> >http://imagine-msn.com/messenger/launch80/?locale=en-gb
>> >> >
>> >> >

>> >> 
>---------------------------------------------------------------------
>> >> >To unsubscribe, e-mail: 
[EMAIL PROTECTED]

>> >> >For additional commands, e-mail:
>>[EMAIL PROTECTED]
>> >> >
>> >>
>> >>_________________________________________________________________
>> >>Be the first to hear what's new at MSN - sign up to our free
>>newsletters!
>> >>http://www.msn.co.uk/newsletters
>> >>
>> >>

>> 
>>---------------------------------------------------------------------

>> >>To unsubscribe, e-mail: [EMAIL PROTECTED]

>> >>For additional commands, e-mail: 
[EMAIL PROTECTED]

>> >>
>> >>
>> >
>> >
>> >--
>> >Forio Business Simulations
>> >
>> >Will Glass-Husain
>> >[EMAIL PROTECTED]
>> >www.forio.com
>>
>>_________________________________________________________________

>>Windows Live� Messenger has arrived. Click here to download it for 
free!

>>http://imagine-msn.com/messenger/launch80/?locale=en-gb
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: [EMAIL PROTECTED]
>>For additional commands, e-mail: [EMAIL PROTECTED]
>>
>>
>
>
>--
>Forio Business Simulations
>
>Will Glass-Husain
>[EMAIL PROTECTED]
>www.forio.com

_________________________________________________________________
The new Windows Live Toolbar helps you guard against viruses
http://toolbar.live.com/?mkt=en-gb


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





--
Forio Business Simulations

Will Glass-Husain
[EMAIL PROTECTED]
www.forio.com


_________________________________________________________________

Windows Live™ Messenger has arrived. Click here to download it for free! 
http://imagine-msn.com/messenger/launch80/?locale=en-gb



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




























					Reply via email to