velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Will Glass-Husain" <wgl...@forio.com>
Subject Re: Velocity Config/Security Issue
Date Wed, 11 Oct 2006 22:54:51 GMT
One more question.  What's your platform
-- version of Tomcat
-- version of JDK
-- Win, Linux, etc?

(and to repeat the last email for redundancy)
-- VelocityServlet or VelocityViewServlet (with version)

I run an instance of Tomcat with a security policy.  I've found
numerous inconsistencies even within Tomcat that require security
permissions to be opened up.  (There was a bug with the 4.1.x series
for example for which I had to open up something similar).

I tend to think you've hit a Tomcat bug triggered by the way Velocity
accesses the request object.  Send the info back and we can dig into
this.

WILL

On 10/11/06, Robin Mannering <robin_mannering75@hotmail.com> wrote:
> Sorry, some more logging that might make it clearer.
>
> My local machine uses request objects:
> org.apache.coyote.tomcat5.CoyoteRequestFacade@1fd25ce
> and
> org.apache.catalina.core.ApplicationHttpRequest@1e389b8
>
> Whereas the hosted server with the problem uses:
> org.apache.catalina.connector.RequestFacade@121d818
> and
> org.apache.catalina.core.ApplicationHttpRequest@76f954
>
>
>
> Log 1 - From action class running on hosted server
> --------------------------------------------------
> 11-Oct 17:52:49.647 |DEBUG|                TestAction.executeLogic
>     | request = 'org.apache.catalina.connector.RequestFacade@121d818'
> 11-Oct 17:52:49.648 |DEBUG|                TestAction.executeLogic
>     | request.getContextPath() = ''
> 11-Oct 17:52:49.648 |DEBUG|                TestAction.executeLogic
>     | request.getMethod() = 'GET'
> 11-Oct 17:52:49.649 |DEBUG|                TestAction.executeLogic
>     | request.getSession().getId() = '28536F4542A222DC6F0E6DE23442DC6D'
> 11-Oct 17:52:49.650 |DEBUG|                TestAction.executeLogic
>     | request.getRequestURI() = '/test.htm'
> 11-Oct 17:52:49.650 |DEBUG|                TestAction.executeLogic
>     | request.getRequestURL() = 'http://www.chaletexplorer.com/test.htm'
> 11-Oct 17:52:49.651 |DEBUG|                TestAction.executeLogic
>     | request.getServletPath() = '/test.htm'
>
>
> Log 2 - From VM Template/page running on hosted server
> ------------------------------------------------------
> request = 'org.apache.catalina.core.ApplicationHttpRequest@76f954'
> request.contextPath = '/'
> request.method = 'GET'
> request.session.id = '$request.session.id'
> request.requestURI = '//test.vm'
> request.requestURL = 'http://www.chaletexplorer.com//test.vm'
> request.servletPath = '/test.vm'
>
>
> Log 3 - From action class (running on my local machine)
> -------------------------------------------------------
>
> 12-Oct 00:10:17.516 |DEBUG|                TestAction.executeLogic
>     | request = 'org.apache.coyote.tomcat5.CoyoteRequestFacade@1fd25ce'
> 12-Oct 00:10:17.516 |DEBUG|                TestAction.executeLogic
>     | request.getContextPath() = '/indy'
> 12-Oct 00:10:17.516 |DEBUG|                TestAction.executeLogic
>     | request.getMethod() = 'GET'
> 12-Oct 00:10:17.516 |DEBUG|                TestAction.executeLogic
>     | request.getSession().getId() = '79E50B9B3F25A2897BF420521952D51F'
> 12-Oct 00:10:17.516 |DEBUG|                TestAction.executeLogic
>     | request.getRequestURI() = '/indy/test.htm'
> 12-Oct 00:10:17.532 |DEBUG|                TestAction.executeLogic
>     | request.getRequestURL() = 'http://localhost:8080/indy/test.htm'
> 12-Oct 00:10:17.532 |DEBUG|                TestAction.executeLogic
>     | request.getServletPath() = '/test.htm'
>
>
> Log 4 - From VM Template/page (running on my local machine)
> -----------------------------------------------------------
> request = 'org.apache.catalina.core.ApplicationHttpRequest@1e389b8'
> request.contextPath = '/indy'
> request.method = 'GET'
> request.session.id = '79E50B9B3F25A2897BF420521952D51F'
> request.requestURI = '/indy/test.vm'
> request.requestURL = 'http://localhost:8080/indy/test.htm'
> request.servletPath = '/test.vm'
>
>
>
> --------------------------------------------------
>
>
> >From: "Robin Mannering" <robin_mannering75@hotmail.com>
> >Reply-To: "Velocity Users List" <velocity-user@jakarta.apache.org>
> >To: velocity-user@jakarta.apache.org
> >Subject: Re: Velocity Config/Security Issue
> >Date: Wed, 11 Oct 2006 22:08:29 +0000
> >
> >Hi all,
> >
> >Can anyone shed some light? I have some more facts now....
> >
> >The original problem was Velocity required permission on a core package
> >within catalina. Is this because it couldn't find the 'correct' request
> >object.
> >
> >Here are some logs, the first is from a Struts action class,  the second is
> >output from the velocity template forwarded to immediately after the action
> >class.  They refer to different request objects that ultimately give
> >different values. Should the velocity template not also refer to
> >org.apache.catalina.connector.RequestFacade@121d818 ??
> >
> >Any help/clues would be greatly appreciated.
> >
> >Log 1 - From action class
> >----------------------------------
> >11-Oct 17:52:49.647 |DEBUG|                TestAction.executeLogic
> >     | request = 'org.apache.catalina.connector.RequestFacade@121d818'
> >11-Oct 17:52:49.648 |DEBUG|                TestAction.executeLogic
> >     | request.getContextPath() = ''
> >11-Oct 17:52:49.648 |DEBUG|                TestAction.executeLogic
> >     | request.getMethod() = 'GET'
> >11-Oct 17:52:49.649 |DEBUG|                TestAction.executeLogic
> >     | request.getSession().getId() = '28536F4542A222DC6F0E6DE23442DC6D'
> >11-Oct 17:52:49.650 |DEBUG|                TestAction.executeLogic
> >     | request.getRequestURI() = '/test.htm'
> >11-Oct 17:52:49.650 |DEBUG|                TestAction.executeLogic
> >     | request.getRequestURL() = 'http://www.chaletexplorer.com/test.htm'
> >11-Oct 17:52:49.651 |DEBUG|                TestAction.executeLogic
> >     | request.getServletPath() = '/test.htm'
> >
> >Log 2 - From VM Template/page
> >-----------------------------
> >request = 'org.apache.catalina.core.ApplicationHttpRequest@76f954'
> >
> >request.contextPath = '/'
> >
> >request.method = 'GET'
> >
> >request.session.id = '$request.session.id'
> >
> >request.requestURI = '//test.vm'
> >
> >request.requestURL = 'http://www.chaletexplorer.com//test.vm'
> >
> >request.servletPath = '/test.vm'
> >
> >
> >
> >
> >
> >
> >
> >>From: "Will Glass-Husain" <wglass@forio.com>
> >>Reply-To: "Velocity Users List" <velocity-user@jakarta.apache.org>
> >>To: "Velocity Users List" <velocity-user@jakarta.apache.org>
> >>Subject: Re: Velocity Config/Security Issue
> >>Date: Wed, 11 Oct 2006 06:25:35 -0700
> >>
> >>I don't think it's Velocity which requires that permission, I'm
> >>guessing it's the request object which is ultimately provided by
> >>Tomcat...
> >>
> >>WILL
> >>
> >>On 10/11/06, Robin Mannering <robin_mannering75@hotmail.com> wrote:
> >>>Hi Will,
> >>>
> >>>Thanks for the links, I'll give them a thorough read.
> >>>
> >>>I've been working with the hosting company who set up the server config
> >>>and
> >>>they have give the application permission to org.apache.catalina.core
> >>>although they are troubled to do so.
> >>>
> >>>They seem very surprised that velocity requires this permission.
> >>>
> >>>Since they granted the permission, the problem has cleared up and
> >>>$request.contextPath now has a value within a velocity template (although
> >>>this has changed from an empty value to '/' so I need to make source
> >>>amendments.  Not a problem, just worrying it takes on a new value in a
> >>>different hosting environment.
> >>>
> >>>Thanks again for your help
> >>>Robin
> >>>
> >>>
> >>> >From: "Will Glass-Husain" <wglass@forio.com>
> >>> >Reply-To: "Velocity Users List" <velocity-user@jakarta.apache.org>
> >>> >To: "Velocity Users List" <velocity-user@jakarta.apache.org>
> >>> >Subject: Re: Velocity Config/Security Issue
> >>> >Date: Tue, 10 Oct 2006 15:04:32 -0700
> >>> >
> >>> >What app server are you using?  This is a server configuration issue.
> >>> >If someone else set it up, you might also want to work with them.
> >>> >
> >>> >If you're using Tomcat, check out:
> >>> >http://tomcat.apache.org/tomcat-5.5-doc/security-manager-howto.html
> >>> >
> >>> >And you should read the Sun docs at:
> >>> >http://java.sun.com/j2se/1.5.0/docs/guide/security/permissions.html
> >>> >
> >>> >WILL
> >>> >
> >>> >On 10/10/06, Robin Mannering <robin_mannering75@hotmail.com> wrote:
> >>> >>Hi Will,
> >>> >>
> >>> >>thanks for your help. Sorry. I'm new to permissions, could you explain
> >>>a
> >>> >>little more for me please.
> >>> >>
> >>> >>Thanks
> >>> >>Robin
> >>> >>
> >>> >>
> >>> >> >From: "Will Glass-Husain" <wglass@forio.com>
> >>> >> >Reply-To: "Velocity Users List" <velocity-user@jakarta.apache.org>
> >>> >> >To: "Velocity Users List" <velocity-user@jakarta.apache.org>
> >>> >> >Subject: Re: Velocity Config/Security Issue
> >>> >> >Date: Tue, 10 Oct 2006 08:24:57 -0700
> >>> >> >
> >>> >> >Looks like the security policy on your app server needs to
be tuned.
> >>> >> >Have you tried giving the permission java.lang.RuntimePermission
for
> >>> >> >accessClassInPackage.org.apache.catalina.core?
> >>> >> >
> >>> >> >WILL
> >>> >> >
> >>> >> >On 10/10/06, Robin Mannering <robin_mannering75@hotmail.com>
wrote:
> >>> >> >>Hi all,
> >>> >> >>
> >>> >> >>I'm new back on this list in a while, please excuse if
the
> >>>following
> >>> >> >>problem
> >>> >> >>is obvious/has been posted before.
> >>> >> >>
> >>> >> >>I am transferring an existing site based on Struts/Velocity
to a
> >>>new
> >>> >>web
> >>> >> >>hosting provider.  The application runs smoothly on its
current
> >>>host.
> >>> >> >>
> >>> >> >>However, there seems to be one last stumbling block with
the new
> >>>server
> >>> >>in
> >>> >> >>that the Struts object; 'request' appears not to be in
scope within
> >>> >> >>velocity
> >>> >> >>pages (there may be others not in scope).
> >>> >> >>
> >>> >> >>I'm using the VelocityLayoutServlet if that helps.
> >>> >> >>
> >>> >> >>I've attached a snippet of the log file that points to
the problem
> >>>I
> >>> >> >>mentioned, notable the 'java.security.AccessControlException'
and
> >>> >> >>'$request.contextPath is not a valid reference'
> >>> >> >>
> >>> >> >>All other velocity directives appear to be functioning
as normal.
> >>> >> >>
> >>> >> >>Has anyone seen this behaviour before? Any help would be
greatly
> >>> >> >>appreciated.
> >>> >> >>
> >>> >> >>Kind regards
> >>> >> >>Robin
> >>> >> >>
> >>> >> >>10-Oct 02:45:21.752 |INFO |                       [/].log
> >>> >> >>     |  Velocity   [info] ResourceManager : found
> >>> >>/pages/frontend/home.vm
> >>> >> >>with loader org.apache.velocity.tools.view.servlet.WebappLoader
> >>> >> >>10-Oct 02:45:21.761 |INFO |                       [/].log
> >>> >> >>     |  Velocity  [error] PROGRAMMER ERROR : PropertyExector()
:
> >>> >> >>java.security.AccessControlException: access denied
> >>> >> >>(java.lang.RuntimePermission
> >>> >> >>accessClassInPackage.org.apache.catalina.core)
> >>> >> >>10-Oct 02:45:21.763 |INFO |                       [/].log
> >>> >> >>     |  Velocity  [error] ASTIdentifier.execute() : identifier
=
> >>> >> >>contextPath
> >>> >> >>: java.security.AccessControlException: access denied
> >>> >> >>(java.lang.RuntimePermission
> >>> >> >>accessClassInPackage.org.apache.catalina.core)
> >>> >> >>10-Oct 02:45:21.764 |INFO |                       [/].log
> >>> >> >>     |  Velocity  [error] RHS of #set statement is null.
Context
> >>>will
> >>> >>not
> >>> >> >>be
> >>> >> >>modified. /pages/frontend/home.vm [line 9, column 1]
> >>> >> >>10-Oct 02:45:21.772 |INFO |                       [/].log
> >>> >> >>     |  Velocity  [error] PROGRAMMER ERROR : PropertyExector()
:
> >>> >> >>java.security.AccessControlException: access denied
> >>> >> >>(java.lang.RuntimePermission
> >>> >> >>accessClassInPackage.org.apache.catalina.core)
> >>> >> >>10-Oct 02:45:21.773 |INFO |                       [/].log
> >>> >> >>     |  Velocity  [error] ASTIdentifier.execute() : identifier
=
> >>> >> >>contextPath
> >>> >> >>: java.security.AccessControlException: access denied
> >>> >> >>(java.lang.RuntimePermission
> >>> >> >>accessClassInPackage.org.apache.catalina.core)
> >>> >> >>10-Oct 02:45:21.774 |INFO |                       [/].log
> >>> >> >>     |  Velocity   [warn]
> >>> >> >>org.apache.velocity.runtime.exception.ReferenceException:
reference
> >>>:
> >>> >> >>template = /pages/frontend/home.vm [line 32,column 34]
:
> >>> >> >>$request.contextPath is not a valid reference.
> >>> >> >>
> >>> >> >>_________________________________________________________________
> >>> >> >>Windows Live� Messenger has arrived. Click here to download
it for
> >>> >>free!
> >>> >> >>http://imagine-msn.com/messenger/launch80/?locale=en-gb
> >>> >> >>
> >>> >> >>
> >>> >>
> >>> >>---------------------------------------------------------------------
> >>> >> >>To unsubscribe, e-mail:
> >>>velocity-user-unsubscribe@jakarta.apache.org
> >>> >> >>For additional commands, e-mail:
> >>>velocity-user-help@jakarta.apache.org
> >>> >> >>
> >>> >> >>
> >>> >> >
> >>> >> >
> >>> >> >--
> >>> >> >Forio Business Simulations
> >>> >> >
> >>> >> >Will Glass-Husain
> >>> >> >wglass@forio.com
> >>> >> >www.forio.com
> >>> >> >
> >>> >>
> >>> >---------------------------------------------------------------------
> >>> >> >To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
> >>> >> >For additional commands, e-mail:
> >>>velocity-user-help@jakarta.apache.org
> >>> >> >
> >>> >>
> >>> >>_________________________________________________________________
> >>> >>Be the first to hear what's new at MSN - sign up to our free
> >>>newsletters!
> >>> >>http://www.msn.co.uk/newsletters
> >>> >>
> >>> >>
> >>> >>---------------------------------------------------------------------
> >>> >>To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
> >>> >>For additional commands, e-mail: velocity-user-help@jakarta.apache.org
> >>> >>
> >>> >>
> >>> >
> >>> >
> >>> >--
> >>> >Forio Business Simulations
> >>> >
> >>> >Will Glass-Husain
> >>> >wglass@forio.com
> >>> >www.forio.com
> >>> >
> >>> >---------------------------------------------------------------------
> >>> >To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
> >>> >For additional commands, e-mail: velocity-user-help@jakarta.apache.org
> >>> >
> >>>
> >>>_________________________________________________________________
> >>>Download the new Windows Live Toolbar, including Desktop search!
> >>>http://toolbar.live.com/?mkt=en-gb
> >>>
> >>>
> >>>---------------------------------------------------------------------
> >>>To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
> >>>For additional commands, e-mail: velocity-user-help@jakarta.apache.org
> >>>
> >>>
> >>
> >>
> >>--
> >>Forio Business Simulations
> >>
> >>Will Glass-Husain
> >>wglass@forio.com
> >>www.forio.com
> >>
> >>---------------------------------------------------------------------
> >>To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
> >>For additional commands, e-mail: velocity-user-help@jakarta.apache.org
> >>
> >
> >_________________________________________________________________
> >Windows Live� Messenger has arrived. Click here to download it for free!
> >http://imagine-msn.com/messenger/launch80/?locale=en-gb
> >
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
> >For additional commands, e-mail: velocity-user-help@jakarta.apache.org
> >
>
> _________________________________________________________________
> Be the first to hear what's new at MSN - sign up to our free newsletters!
> http://www.msn.co.uk/newsletters
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: velocity-user-help@jakarta.apache.org
>
>


-- 
Forio Business Simulations

Will Glass-Husain
wglass@forio.com
www.forio.com
Mime
View raw message