struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Fredrik Andersson <>
Subject Will I get sideeffects with: OgnlRuntime.setSecurityManager(null);
Date Tue, 26 Nov 2013 20:43:24 GMT

(Hope this is the correct forum for this question)


I get this error in my hello-world-struts2-webapp when I run it in my tomcat with the catalina.policy.

(Btw my catalina.policy is edited a bit to match my production env:


/-- Encapsulated exception ------------\ 
java.lang.IllegalAccessException: Method [public void se.mycompany.web.actions.WelcomeUserAction.setUsername(java.lang.String)]
cannot be accessed. 
at ognl.OgnlRuntime.invokeMethod( 
at ognl.OgnlRuntime.callAppropriateMethod( 


I found this solution:!msg/google-appengine-java/GQGLAxfyeBc/1NIfi8duNCEJ


It suggest that a listener does:



In the doc for OgnlRuntime it says:

Sets the SecurityManager that OGNL uses to determine permissions for invoking methods.


But is this really a correct solution to set it to null?

To me it doesn't sound good to have the securitymanager set to null, what security holes does
that create? 


Could this be solved with some extra grants in the catalina.policy-file instead?



Best regards

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message