velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Will Glass-Husain" <wgl...@forio.com>
Subject Re: Velocity Config/Security Issue
Date Thu, 12 Oct 2006 11:59:38 GMT
I'll play around with this.  Might be a day or so.

On 10/11/06, Robin Mannering <robin_mannering75@hotmail.com> wrote:
>
> Hi,
>
> Sorry I forgot the velocity version: Velocity 1.4
>
> >From: "Will Glass-Husain" <wglass@forio.com>
> >Reply-To: "Velocity Users List" <velocity-user@jakarta.apache.org>
> >To: "Velocity Users List" <velocity-user@jakarta.apache.org>
> >Subject: Re: Velocity Config/Security Issue
> >Date: Wed, 11 Oct 2006 15:54:51 -0700
> >
> >One more question.  What's your platform
> >-- version of Tomcat
> >-- version of JDK
> >-- Win, Linux, etc?
> >
> >(and to repeat the last email for redundancy)
> >-- VelocityServlet or VelocityViewServlet (with version)
> >
> >I run an instance of Tomcat with a security policy.  I've found
> >numerous inconsistencies even within Tomcat that require security
> >permissions to be opened up.  (There was a bug with the 4.1.x series
> >for example for which I had to open up something similar).
> >
> >I tend to think you've hit a Tomcat bug triggered by the way Velocity
> >accesses the request object.  Send the info back and we can dig into
> >this.
> >
> >WILL
> >
> >On 10/11/06, Robin Mannering <robin_mannering75@hotmail.com> wrote:
> >>Sorry, some more logging that might make it clearer.
> >>
> >>My local machine uses request objects:
> >>org.apache.coyote.tomcat5.CoyoteRequestFacade@1fd25ce
> >>and
> >>org.apache.catalina.core.ApplicationHttpRequest@1e389b8
> >>
> >>Whereas the hosted server with the problem uses:
> >>org.apache.catalina.connector.RequestFacade@121d818
> >>and
> >>org.apache.catalina.core.ApplicationHttpRequest@76f954
> >>
> >>
> >>
> >>Log 1 - From action class running on hosted server
> >>--------------------------------------------------
> >>11-Oct 17:52:49.647 |DEBUG|                TestAction.executeLogic
> >>     | request = 'org.apache.catalina.connector.RequestFacade@121d818'
> >>11-Oct 17:52:49.648 |DEBUG|                TestAction.executeLogic
> >>     | request.getContextPath() = ''
> >>11-Oct 17:52:49.648 |DEBUG|                TestAction.executeLogic
> >>     | request.getMethod() = 'GET'
> >>11-Oct 17:52:49.649 |DEBUG|                TestAction.executeLogic
> >>     | request.getSession().getId() = '28536F4542A222DC6F0E6DE23442DC6D'
> >>11-Oct 17:52:49.650 |DEBUG|                TestAction.executeLogic
> >>     | request.getRequestURI() = '/test.htm'
> >>11-Oct 17:52:49.650 |DEBUG|                TestAction.executeLogic
> >>     | request.getRequestURL() = 'http://www.chaletexplorer.com/test.htm'
> >>11-Oct 17:52:49.651 |DEBUG|                TestAction.executeLogic
> >>     | request.getServletPath() = '/test.htm'
> >>
> >>
> >>Log 2 - From VM Template/page running on hosted server
> >>------------------------------------------------------
> >>request = 'org.apache.catalina.core.ApplicationHttpRequest@76f954'
> >>request.contextPath = '/'
> >>request.method = 'GET'
> >>request.session.id = '$request.session.id'
> >>request.requestURI = '//test.vm'
> >>request.requestURL = 'http://www.chaletexplorer.com//test.vm'
> >>request.servletPath = '/test.vm'
> >>
> >>
> >>Log 3 - From action class (running on my local machine)
> >>-------------------------------------------------------
> >>
> >>12-Oct 00:10:17.516 |DEBUG|                TestAction.executeLogic
> >>     | request = 'org.apache.coyote.tomcat5.CoyoteRequestFacade@1fd25ce'
> >>12-Oct 00:10:17.516 |DEBUG|                TestAction.executeLogic
> >>     | request.getContextPath() = '/indy'
> >>12-Oct 00:10:17.516 |DEBUG|                TestAction.executeLogic
> >>     | request.getMethod() = 'GET'
> >>12-Oct 00:10:17.516 |DEBUG|                TestAction.executeLogic
> >>     | request.getSession().getId() = '79E50B9B3F25A2897BF420521952D51F'
> >>12-Oct 00:10:17.516 |DEBUG|                TestAction.executeLogic
> >>     | request.getRequestURI() = '/indy/test.htm'
> >>12-Oct 00:10:17.532 |DEBUG|                TestAction.executeLogic
> >>     | request.getRequestURL() = 'http://localhost:8080/indy/test.htm'
> >>12-Oct 00:10:17.532 |DEBUG|                TestAction.executeLogic
> >>     | request.getServletPath() = '/test.htm'
> >>
> >>
> >>Log 4 - From VM Template/page (running on my local machine)
> >>-----------------------------------------------------------
> >>request = 'org.apache.catalina.core.ApplicationHttpRequest@1e389b8'
> >>request.contextPath = '/indy'
> >>request.method = 'GET'
> >>request.session.id = '79E50B9B3F25A2897BF420521952D51F'
> >>request.requestURI = '/indy/test.vm'
> >>request.requestURL = 'http://localhost:8080/indy/test.htm'
> >>request.servletPath = '/test.vm'
> >>
> >>
> >>
> >>--------------------------------------------------
> >>
> >>
> >> >From: "Robin Mannering" <robin_mannering75@hotmail.com>
> >> >Reply-To: "Velocity Users List" <velocity-user@jakarta.apache.org>
> >> >To: velocity-user@jakarta.apache.org
> >> >Subject: Re: Velocity Config/Security Issue
> >> >Date: Wed, 11 Oct 2006 22:08:29 +0000
> >> >
> >> >Hi all,
> >> >
> >> >Can anyone shed some light? I have some more facts now....
> >> >
> >> >The original problem was Velocity required permission on a core package
> >> >within catalina. Is this because it couldn't find the 'correct' request
> >> >object.
> >> >
> >> >Here are some logs, the first is from a Struts action class,  the second
> >>is
> >> >output from the velocity template forwarded to immediately after the
> >>action
> >> >class.  They refer to different request objects that ultimately give
> >> >different values. Should the velocity template not also refer to
> >> >org.apache.catalina.connector.RequestFacade@121d818 ??
> >> >
> >> >Any help/clues would be greatly appreciated.
> >> >
> >> >Log 1 - From action class
> >> >----------------------------------
> >> >11-Oct 17:52:49.647 |DEBUG|                TestAction.executeLogic
> >> >     | request = 'org.apache.catalina.connector.RequestFacade@121d818'
> >> >11-Oct 17:52:49.648 |DEBUG|                TestAction.executeLogic
> >> >     | request.getContextPath() = ''
> >> >11-Oct 17:52:49.648 |DEBUG|                TestAction.executeLogic
> >> >     | request.getMethod() = 'GET'
> >> >11-Oct 17:52:49.649 |DEBUG|                TestAction.executeLogic
> >> >     | request.getSession().getId() = '28536F4542A222DC6F0E6DE23442DC6D'
> >> >11-Oct 17:52:49.650 |DEBUG|                TestAction.executeLogic
> >> >     | request.getRequestURI() = '/test.htm'
> >> >11-Oct 17:52:49.650 |DEBUG|                TestAction.executeLogic
> >> >     | request.getRequestURL() =
> >>'http://www.chaletexplorer.com/test.htm'
> >> >11-Oct 17:52:49.651 |DEBUG|                TestAction.executeLogic
> >> >     | request.getServletPath() = '/test.htm'
> >> >
> >> >Log 2 - From VM Template/page
> >> >-----------------------------
> >> >request = 'org.apache.catalina.core.ApplicationHttpRequest@76f954'
> >> >
> >> >request.contextPath = '/'
> >> >
> >> >request.method = 'GET'
> >> >
> >> >request.session.id = '$request.session.id'
> >> >
> >> >request.requestURI = '//test.vm'
> >> >
> >> >request.requestURL = 'http://www.chaletexplorer.com//test.vm'
> >> >
> >> >request.servletPath = '/test.vm'
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >>From: "Will Glass-Husain" <wglass@forio.com>
> >> >>Reply-To: "Velocity Users List" <velocity-user@jakarta.apache.org>
> >> >>To: "Velocity Users List" <velocity-user@jakarta.apache.org>
> >> >>Subject: Re: Velocity Config/Security Issue
> >> >>Date: Wed, 11 Oct 2006 06:25:35 -0700
> >> >>
> >> >>I don't think it's Velocity which requires that permission, I'm
> >> >>guessing it's the request object which is ultimately provided by
> >> >>Tomcat...
> >> >>
> >> >>WILL
> >> >>
> >> >>On 10/11/06, Robin Mannering <robin_mannering75@hotmail.com> wrote:
> >> >>>Hi Will,
> >> >>>
> >> >>>Thanks for the links, I'll give them a thorough read.
> >> >>>
> >> >>>I've been working with the hosting company who set up the server
> >>config
> >> >>>and
> >> >>>they have give the application permission to org.apache.catalina.core
> >> >>>although they are troubled to do so.
> >> >>>
> >> >>>They seem very surprised that velocity requires this permission.
> >> >>>
> >> >>>Since they granted the permission, the problem has cleared up and
> >> >>>$request.contextPath now has a value within a velocity template
> >>(although
> >> >>>this has changed from an empty value to '/' so I need to make source
> >> >>>amendments.  Not a problem, just worrying it takes on a new value
in a
> >> >>>different hosting environment.
> >> >>>
> >> >>>Thanks again for your help
> >> >>>Robin
> >> >>>
> >> >>>
> >> >>> >From: "Will Glass-Husain" <wglass@forio.com>
> >> >>> >Reply-To: "Velocity Users List" <velocity-user@jakarta.apache.org>
> >> >>> >To: "Velocity Users List" <velocity-user@jakarta.apache.org>
> >> >>> >Subject: Re: Velocity Config/Security Issue
> >> >>> >Date: Tue, 10 Oct 2006 15:04:32 -0700
> >> >>> >
> >> >>> >What app server are you using?  This is a server configuration
> >>issue.
> >> >>> >If someone else set it up, you might also want to work with
them.
> >> >>> >
> >> >>> >If you're using Tomcat, check out:
> >> >>> >http://tomcat.apache.org/tomcat-5.5-doc/security-manager-howto.html
> >> >>> >
> >> >>> >And you should read the Sun docs at:
> >> >>> >http://java.sun.com/j2se/1.5.0/docs/guide/security/permissions.html
> >> >>> >
> >> >>> >WILL
> >> >>> >
> >> >>> >On 10/10/06, Robin Mannering <robin_mannering75@hotmail.com>
wrote:
> >> >>> >>Hi Will,
> >> >>> >>
> >> >>> >>thanks for your help. Sorry. I'm new to permissions, could
you
> >>explain
> >> >>>a
> >> >>> >>little more for me please.
> >> >>> >>
> >> >>> >>Thanks
> >> >>> >>Robin
> >> >>> >>
> >> >>> >>
> >> >>> >> >From: "Will Glass-Husain" <wglass@forio.com>
> >> >>> >> >Reply-To: "Velocity Users List"
> >><velocity-user@jakarta.apache.org>
> >> >>> >> >To: "Velocity Users List" <velocity-user@jakarta.apache.org>
> >> >>> >> >Subject: Re: Velocity Config/Security Issue
> >> >>> >> >Date: Tue, 10 Oct 2006 08:24:57 -0700
> >> >>> >> >
> >> >>> >> >Looks like the security policy on your app server
needs to be
> >>tuned.
> >> >>> >> >Have you tried giving the permission java.lang.RuntimePermission
> >>for
> >> >>> >> >accessClassInPackage.org.apache.catalina.core?
> >> >>> >> >
> >> >>> >> >WILL
> >> >>> >> >
> >> >>> >> >On 10/10/06, Robin Mannering <robin_mannering75@hotmail.com>
> >>wrote:
> >> >>> >> >>Hi all,
> >> >>> >> >>
> >> >>> >> >>I'm new back on this list in a while, please excuse
if the
> >> >>>following
> >> >>> >> >>problem
> >> >>> >> >>is obvious/has been posted before.
> >> >>> >> >>
> >> >>> >> >>I am transferring an existing site based on Struts/Velocity
to a
> >> >>>new
> >> >>> >>web
> >> >>> >> >>hosting provider.  The application runs smoothly
on its current
> >> >>>host.
> >> >>> >> >>
> >> >>> >> >>However, there seems to be one last stumbling
block with the new
> >> >>>server
> >> >>> >>in
> >> >>> >> >>that the Struts object; 'request' appears not
to be in scope
> >>within
> >> >>> >> >>velocity
> >> >>> >> >>pages (there may be others not in scope).
> >> >>> >> >>
> >> >>> >> >>I'm using the VelocityLayoutServlet if that helps.
> >> >>> >> >>
> >> >>> >> >>I've attached a snippet of the log file that points
to the
> >>problem
> >> >>>I
> >> >>> >> >>mentioned, notable the 'java.security.AccessControlException'
> >>and
> >> >>> >> >>'$request.contextPath is not a valid reference'
> >> >>> >> >>
> >> >>> >> >>All other velocity directives appear to be functioning
as
> >>normal.
> >> >>> >> >>
> >> >>> >> >>Has anyone seen this behaviour before? Any help
would be greatly
> >> >>> >> >>appreciated.
> >> >>> >> >>
> >> >>> >> >>Kind regards
> >> >>> >> >>Robin
> >> >>> >> >>
> >> >>> >> >>10-Oct 02:45:21.752 |INFO |                  
    [/].log
> >> >>> >> >>     |  Velocity   [info] ResourceManager : found
> >> >>> >>/pages/frontend/home.vm
> >> >>> >> >>with loader org.apache.velocity.tools.view.servlet.WebappLoader
> >> >>> >> >>10-Oct 02:45:21.761 |INFO |                  
    [/].log
> >> >>> >> >>     |  Velocity  [error] PROGRAMMER ERROR : PropertyExector()
:
> >> >>> >> >>java.security.AccessControlException: access denied
> >> >>> >> >>(java.lang.RuntimePermission
> >> >>> >> >>accessClassInPackage.org.apache.catalina.core)
> >> >>> >> >>10-Oct 02:45:21.763 |INFO |                  
    [/].log
> >> >>> >> >>     |  Velocity  [error] ASTIdentifier.execute()
: identifier =
> >> >>> >> >>contextPath
> >> >>> >> >>: java.security.AccessControlException: access
denied
> >> >>> >> >>(java.lang.RuntimePermission
> >> >>> >> >>accessClassInPackage.org.apache.catalina.core)
> >> >>> >> >>10-Oct 02:45:21.764 |INFO |                  
    [/].log
> >> >>> >> >>     |  Velocity  [error] RHS of #set statement
is null. Context
> >> >>>will
> >> >>> >>not
> >> >>> >> >>be
> >> >>> >> >>modified. /pages/frontend/home.vm [line 9, column
1]
> >> >>> >> >>10-Oct 02:45:21.772 |INFO |                  
    [/].log
> >> >>> >> >>     |  Velocity  [error] PROGRAMMER ERROR : PropertyExector()
:
> >> >>> >> >>java.security.AccessControlException: access denied
> >> >>> >> >>(java.lang.RuntimePermission
> >> >>> >> >>accessClassInPackage.org.apache.catalina.core)
> >> >>> >> >>10-Oct 02:45:21.773 |INFO |                  
    [/].log
> >> >>> >> >>     |  Velocity  [error] ASTIdentifier.execute()
: identifier =
> >> >>> >> >>contextPath
> >> >>> >> >>: java.security.AccessControlException: access
denied
> >> >>> >> >>(java.lang.RuntimePermission
> >> >>> >> >>accessClassInPackage.org.apache.catalina.core)
> >> >>> >> >>10-Oct 02:45:21.774 |INFO |                  
    [/].log
> >> >>> >> >>     |  Velocity   [warn]
> >> >>> >> >>org.apache.velocity.runtime.exception.ReferenceException:
> >>reference
> >> >>>:
> >> >>> >> >>template = /pages/frontend/home.vm [line 32,column
34] :
> >> >>> >> >>$request.contextPath is not a valid reference.
> >> >>> >> >>
> >> >>> >>
> >> >>_________________________________________________________________
> >> >>> >> >>Windows Live� Messenger has arrived. Click here
to download it
> >>for
> >> >>> >>free!
> >> >>> >> >>http://imagine-msn.com/messenger/launch80/?locale=en-gb
> >> >>> >> >>
> >> >>> >> >>
> >> >>> >>
> >> >>>
> >> >>---------------------------------------------------------------------
> >> >>> >> >>To unsubscribe, e-mail:
> >> >>>velocity-user-unsubscribe@jakarta.apache.org
> >> >>> >> >>For additional commands, e-mail:
> >> >>>velocity-user-help@jakarta.apache.org
> >> >>> >> >>
> >> >>> >> >>
> >> >>> >> >
> >> >>> >> >
> >> >>> >> >--
> >> >>> >> >Forio Business Simulations
> >> >>> >> >
> >> >>> >> >Will Glass-Husain
> >> >>> >> >wglass@forio.com
> >> >>> >> >www.forio.com
> >> >>> >> >
> >> >>> >>
> >> >>>
> >> >---------------------------------------------------------------------
> >> >>> >> >To unsubscribe, e-mail:
> >>velocity-user-unsubscribe@jakarta.apache.org
> >> >>> >> >For additional commands, e-mail:
> >> >>>velocity-user-help@jakarta.apache.org
> >> >>> >> >
> >> >>> >>
> >> >>> >>_________________________________________________________________
> >> >>> >>Be the first to hear what's new at MSN - sign up to our
free
> >> >>>newsletters!
> >> >>> >>http://www.msn.co.uk/newsletters
> >> >>> >>
> >> >>> >>
> >> >>>
> >> >>---------------------------------------------------------------------
> >> >>> >>To unsubscribe, e-mail:
> >>velocity-user-unsubscribe@jakarta.apache.org
> >> >>> >>For additional commands, e-mail:
> >>velocity-user-help@jakarta.apache.org
> >> >>> >>
> >> >>> >>
> >> >>> >
> >> >>> >
> >> >>> >--
> >> >>> >Forio Business Simulations
> >> >>> >
> >> >>> >Will Glass-Husain
> >> >>> >wglass@forio.com
> >> >>> >www.forio.com
> >> >>> >
> >> >>>
> >> >---------------------------------------------------------------------
> >> >>> >To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
> >> >>> >For additional commands, e-mail:
> >>velocity-user-help@jakarta.apache.org
> >> >>> >
> >> >>>
> >> >>>_________________________________________________________________
> >> >>>Download the new Windows Live Toolbar, including Desktop search!
> >> >>>http://toolbar.live.com/?mkt=en-gb
> >> >>>
> >> >>>
> >> >>>---------------------------------------------------------------------
> >> >>>To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
> >> >>>For additional commands, e-mail: velocity-user-help@jakarta.apache.org
> >> >>>
> >> >>>
> >> >>
> >> >>
> >> >>--
> >> >>Forio Business Simulations
> >> >>
> >> >>Will Glass-Husain
> >> >>wglass@forio.com
> >> >>www.forio.com
> >> >>
> >> >>---------------------------------------------------------------------
> >> >>To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
> >> >>For additional commands, e-mail: velocity-user-help@jakarta.apache.org
> >> >>
> >> >
> >> >_________________________________________________________________
> >> >Windows Live� Messenger has arrived. Click here to download it for
> >>free!
> >> >http://imagine-msn.com/messenger/launch80/?locale=en-gb
> >> >
> >> >
> >> >---------------------------------------------------------------------
> >> >To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
> >> >For additional commands, e-mail: velocity-user-help@jakarta.apache.org
> >> >
> >>
> >>_________________________________________________________________
> >>Be the first to hear what's new at MSN - sign up to our free newsletters!
> >>http://www.msn.co.uk/newsletters
> >>
> >>
> >>---------------------------------------------------------------------
> >>To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
> >>For additional commands, e-mail: velocity-user-help@jakarta.apache.org
> >>
> >>
> >
> >
> >--
> >Forio Business Simulations
> >
> >Will Glass-Husain
> >wglass@forio.com
> >www.forio.com
>
> _________________________________________________________________
> Windows Live� Messenger has arrived. Click here to download it for free!
> http://imagine-msn.com/messenger/launch80/?locale=en-gb
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: velocity-user-help@jakarta.apache.org
>
>


-- 
Forio Business Simulations

Will Glass-Husain
wglass@forio.com
www.forio.com
Mime
View raw message