velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robin Mannering" <robin_mannerin...@hotmail.com>
Subject Re: Velocity Config/Security Issue
Date Thu, 12 Oct 2006 06:39:16 GMT

Hi,

Sorry I forgot the velocity version: Velocity 1.4

>From: "Will Glass-Husain" <wglass@forio.com>
>Reply-To: "Velocity Users List" <velocity-user@jakarta.apache.org>
>To: "Velocity Users List" <velocity-user@jakarta.apache.org>
>Subject: Re: Velocity Config/Security Issue
>Date: Wed, 11 Oct 2006 15:54:51 -0700
>
>One more question.  What's your platform
>-- version of Tomcat
>-- version of JDK
>-- Win, Linux, etc?
>
>(and to repeat the last email for redundancy)
>-- VelocityServlet or VelocityViewServlet (with version)
>
>I run an instance of Tomcat with a security policy.  I've found
>numerous inconsistencies even within Tomcat that require security
>permissions to be opened up.  (There was a bug with the 4.1.x series
>for example for which I had to open up something similar).
>
>I tend to think you've hit a Tomcat bug triggered by the way Velocity
>accesses the request object.  Send the info back and we can dig into
>this.
>
>WILL
>
>On 10/11/06, Robin Mannering <robin_mannering75@hotmail.com> wrote:
>>Sorry, some more logging that might make it clearer.
>>
>>My local machine uses request objects:
>>org.apache.coyote.tomcat5.CoyoteRequestFacade@1fd25ce
>>and
>>org.apache.catalina.core.ApplicationHttpRequest@1e389b8
>>
>>Whereas the hosted server with the problem uses:
>>org.apache.catalina.connector.RequestFacade@121d818
>>and
>>org.apache.catalina.core.ApplicationHttpRequest@76f954
>>
>>
>>
>>Log 1 - From action class running on hosted server
>>--------------------------------------------------
>>11-Oct 17:52:49.647 |DEBUG|                TestAction.executeLogic
>>     | request = 'org.apache.catalina.connector.RequestFacade@121d818'
>>11-Oct 17:52:49.648 |DEBUG|                TestAction.executeLogic
>>     | request.getContextPath() = ''
>>11-Oct 17:52:49.648 |DEBUG|                TestAction.executeLogic
>>     | request.getMethod() = 'GET'
>>11-Oct 17:52:49.649 |DEBUG|                TestAction.executeLogic
>>     | request.getSession().getId() = '28536F4542A222DC6F0E6DE23442DC6D'
>>11-Oct 17:52:49.650 |DEBUG|                TestAction.executeLogic
>>     | request.getRequestURI() = '/test.htm'
>>11-Oct 17:52:49.650 |DEBUG|                TestAction.executeLogic
>>     | request.getRequestURL() = 'http://www.chaletexplorer.com/test.htm'
>>11-Oct 17:52:49.651 |DEBUG|                TestAction.executeLogic
>>     | request.getServletPath() = '/test.htm'
>>
>>
>>Log 2 - From VM Template/page running on hosted server
>>------------------------------------------------------
>>request = 'org.apache.catalina.core.ApplicationHttpRequest@76f954'
>>request.contextPath = '/'
>>request.method = 'GET'
>>request.session.id = '$request.session.id'
>>request.requestURI = '//test.vm'
>>request.requestURL = 'http://www.chaletexplorer.com//test.vm'
>>request.servletPath = '/test.vm'
>>
>>
>>Log 3 - From action class (running on my local machine)
>>-------------------------------------------------------
>>
>>12-Oct 00:10:17.516 |DEBUG|                TestAction.executeLogic
>>     | request = 'org.apache.coyote.tomcat5.CoyoteRequestFacade@1fd25ce'
>>12-Oct 00:10:17.516 |DEBUG|                TestAction.executeLogic
>>     | request.getContextPath() = '/indy'
>>12-Oct 00:10:17.516 |DEBUG|                TestAction.executeLogic
>>     | request.getMethod() = 'GET'
>>12-Oct 00:10:17.516 |DEBUG|                TestAction.executeLogic
>>     | request.getSession().getId() = '79E50B9B3F25A2897BF420521952D51F'
>>12-Oct 00:10:17.516 |DEBUG|                TestAction.executeLogic
>>     | request.getRequestURI() = '/indy/test.htm'
>>12-Oct 00:10:17.532 |DEBUG|                TestAction.executeLogic
>>     | request.getRequestURL() = 'http://localhost:8080/indy/test.htm'
>>12-Oct 00:10:17.532 |DEBUG|                TestAction.executeLogic
>>     | request.getServletPath() = '/test.htm'
>>
>>
>>Log 4 - From VM Template/page (running on my local machine)
>>-----------------------------------------------------------
>>request = 'org.apache.catalina.core.ApplicationHttpRequest@1e389b8'
>>request.contextPath = '/indy'
>>request.method = 'GET'
>>request.session.id = '79E50B9B3F25A2897BF420521952D51F'
>>request.requestURI = '/indy/test.vm'
>>request.requestURL = 'http://localhost:8080/indy/test.htm'
>>request.servletPath = '/test.vm'
>>
>>
>>
>>--------------------------------------------------
>>
>>
>> >From: "Robin Mannering" <robin_mannering75@hotmail.com>
>> >Reply-To: "Velocity Users List" <velocity-user@jakarta.apache.org>
>> >To: velocity-user@jakarta.apache.org
>> >Subject: Re: Velocity Config/Security Issue
>> >Date: Wed, 11 Oct 2006 22:08:29 +0000
>> >
>> >Hi all,
>> >
>> >Can anyone shed some light? I have some more facts now....
>> >
>> >The original problem was Velocity required permission on a core package
>> >within catalina. Is this because it couldn't find the 'correct' request
>> >object.
>> >
>> >Here are some logs, the first is from a Struts action class,  the second 
>>is
>> >output from the velocity template forwarded to immediately after the 
>>action
>> >class.  They refer to different request objects that ultimately give
>> >different values. Should the velocity template not also refer to
>> >org.apache.catalina.connector.RequestFacade@121d818 ??
>> >
>> >Any help/clues would be greatly appreciated.
>> >
>> >Log 1 - From action class
>> >----------------------------------
>> >11-Oct 17:52:49.647 |DEBUG|                TestAction.executeLogic
>> >     | request = 'org.apache.catalina.connector.RequestFacade@121d818'
>> >11-Oct 17:52:49.648 |DEBUG|                TestAction.executeLogic
>> >     | request.getContextPath() = ''
>> >11-Oct 17:52:49.648 |DEBUG|                TestAction.executeLogic
>> >     | request.getMethod() = 'GET'
>> >11-Oct 17:52:49.649 |DEBUG|                TestAction.executeLogic
>> >     | request.getSession().getId() = '28536F4542A222DC6F0E6DE23442DC6D'
>> >11-Oct 17:52:49.650 |DEBUG|                TestAction.executeLogic
>> >     | request.getRequestURI() = '/test.htm'
>> >11-Oct 17:52:49.650 |DEBUG|                TestAction.executeLogic
>> >     | request.getRequestURL() = 
>>'http://www.chaletexplorer.com/test.htm'
>> >11-Oct 17:52:49.651 |DEBUG|                TestAction.executeLogic
>> >     | request.getServletPath() = '/test.htm'
>> >
>> >Log 2 - From VM Template/page
>> >-----------------------------
>> >request = 'org.apache.catalina.core.ApplicationHttpRequest@76f954'
>> >
>> >request.contextPath = '/'
>> >
>> >request.method = 'GET'
>> >
>> >request.session.id = '$request.session.id'
>> >
>> >request.requestURI = '//test.vm'
>> >
>> >request.requestURL = 'http://www.chaletexplorer.com//test.vm'
>> >
>> >request.servletPath = '/test.vm'
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >>From: "Will Glass-Husain" <wglass@forio.com>
>> >>Reply-To: "Velocity Users List" <velocity-user@jakarta.apache.org>
>> >>To: "Velocity Users List" <velocity-user@jakarta.apache.org>
>> >>Subject: Re: Velocity Config/Security Issue
>> >>Date: Wed, 11 Oct 2006 06:25:35 -0700
>> >>
>> >>I don't think it's Velocity which requires that permission, I'm
>> >>guessing it's the request object which is ultimately provided by
>> >>Tomcat...
>> >>
>> >>WILL
>> >>
>> >>On 10/11/06, Robin Mannering <robin_mannering75@hotmail.com> wrote:
>> >>>Hi Will,
>> >>>
>> >>>Thanks for the links, I'll give them a thorough read.
>> >>>
>> >>>I've been working with the hosting company who set up the server 
>>config
>> >>>and
>> >>>they have give the application permission to org.apache.catalina.core
>> >>>although they are troubled to do so.
>> >>>
>> >>>They seem very surprised that velocity requires this permission.
>> >>>
>> >>>Since they granted the permission, the problem has cleared up and
>> >>>$request.contextPath now has a value within a velocity template 
>>(although
>> >>>this has changed from an empty value to '/' so I need to make source
>> >>>amendments.  Not a problem, just worrying it takes on a new value in
a
>> >>>different hosting environment.
>> >>>
>> >>>Thanks again for your help
>> >>>Robin
>> >>>
>> >>>
>> >>> >From: "Will Glass-Husain" <wglass@forio.com>
>> >>> >Reply-To: "Velocity Users List" <velocity-user@jakarta.apache.org>
>> >>> >To: "Velocity Users List" <velocity-user@jakarta.apache.org>
>> >>> >Subject: Re: Velocity Config/Security Issue
>> >>> >Date: Tue, 10 Oct 2006 15:04:32 -0700
>> >>> >
>> >>> >What app server are you using?  This is a server configuration 
>>issue.
>> >>> >If someone else set it up, you might also want to work with them.
>> >>> >
>> >>> >If you're using Tomcat, check out:
>> >>> >http://tomcat.apache.org/tomcat-5.5-doc/security-manager-howto.html
>> >>> >
>> >>> >And you should read the Sun docs at:
>> >>> >http://java.sun.com/j2se/1.5.0/docs/guide/security/permissions.html
>> >>> >
>> >>> >WILL
>> >>> >
>> >>> >On 10/10/06, Robin Mannering <robin_mannering75@hotmail.com>
wrote:
>> >>> >>Hi Will,
>> >>> >>
>> >>> >>thanks for your help. Sorry. I'm new to permissions, could you

>>explain
>> >>>a
>> >>> >>little more for me please.
>> >>> >>
>> >>> >>Thanks
>> >>> >>Robin
>> >>> >>
>> >>> >>
>> >>> >> >From: "Will Glass-Husain" <wglass@forio.com>
>> >>> >> >Reply-To: "Velocity Users List" 
>><velocity-user@jakarta.apache.org>
>> >>> >> >To: "Velocity Users List" <velocity-user@jakarta.apache.org>
>> >>> >> >Subject: Re: Velocity Config/Security Issue
>> >>> >> >Date: Tue, 10 Oct 2006 08:24:57 -0700
>> >>> >> >
>> >>> >> >Looks like the security policy on your app server needs
to be 
>>tuned.
>> >>> >> >Have you tried giving the permission java.lang.RuntimePermission

>>for
>> >>> >> >accessClassInPackage.org.apache.catalina.core?
>> >>> >> >
>> >>> >> >WILL
>> >>> >> >
>> >>> >> >On 10/10/06, Robin Mannering <robin_mannering75@hotmail.com>

>>wrote:
>> >>> >> >>Hi all,
>> >>> >> >>
>> >>> >> >>I'm new back on this list in a while, please excuse
if the
>> >>>following
>> >>> >> >>problem
>> >>> >> >>is obvious/has been posted before.
>> >>> >> >>
>> >>> >> >>I am transferring an existing site based on Struts/Velocity
to a
>> >>>new
>> >>> >>web
>> >>> >> >>hosting provider.  The application runs smoothly on
its current
>> >>>host.
>> >>> >> >>
>> >>> >> >>However, there seems to be one last stumbling block
with the new
>> >>>server
>> >>> >>in
>> >>> >> >>that the Struts object; 'request' appears not to be
in scope 
>>within
>> >>> >> >>velocity
>> >>> >> >>pages (there may be others not in scope).
>> >>> >> >>
>> >>> >> >>I'm using the VelocityLayoutServlet if that helps.
>> >>> >> >>
>> >>> >> >>I've attached a snippet of the log file that points
to the 
>>problem
>> >>>I
>> >>> >> >>mentioned, notable the 'java.security.AccessControlException'

>>and
>> >>> >> >>'$request.contextPath is not a valid reference'
>> >>> >> >>
>> >>> >> >>All other velocity directives appear to be functioning
as 
>>normal.
>> >>> >> >>
>> >>> >> >>Has anyone seen this behaviour before? Any help would
be greatly
>> >>> >> >>appreciated.
>> >>> >> >>
>> >>> >> >>Kind regards
>> >>> >> >>Robin
>> >>> >> >>
>> >>> >> >>10-Oct 02:45:21.752 |INFO |                       [/].log
>> >>> >> >>     |  Velocity   [info] ResourceManager : found
>> >>> >>/pages/frontend/home.vm
>> >>> >> >>with loader org.apache.velocity.tools.view.servlet.WebappLoader
>> >>> >> >>10-Oct 02:45:21.761 |INFO |                       [/].log
>> >>> >> >>     |  Velocity  [error] PROGRAMMER ERROR : PropertyExector()
:
>> >>> >> >>java.security.AccessControlException: access denied
>> >>> >> >>(java.lang.RuntimePermission
>> >>> >> >>accessClassInPackage.org.apache.catalina.core)
>> >>> >> >>10-Oct 02:45:21.763 |INFO |                       [/].log
>> >>> >> >>     |  Velocity  [error] ASTIdentifier.execute() :
identifier =
>> >>> >> >>contextPath
>> >>> >> >>: java.security.AccessControlException: access denied
>> >>> >> >>(java.lang.RuntimePermission
>> >>> >> >>accessClassInPackage.org.apache.catalina.core)
>> >>> >> >>10-Oct 02:45:21.764 |INFO |                       [/].log
>> >>> >> >>     |  Velocity  [error] RHS of #set statement is
null. Context
>> >>>will
>> >>> >>not
>> >>> >> >>be
>> >>> >> >>modified. /pages/frontend/home.vm [line 9, column 1]
>> >>> >> >>10-Oct 02:45:21.772 |INFO |                       [/].log
>> >>> >> >>     |  Velocity  [error] PROGRAMMER ERROR : PropertyExector()
:
>> >>> >> >>java.security.AccessControlException: access denied
>> >>> >> >>(java.lang.RuntimePermission
>> >>> >> >>accessClassInPackage.org.apache.catalina.core)
>> >>> >> >>10-Oct 02:45:21.773 |INFO |                       [/].log
>> >>> >> >>     |  Velocity  [error] ASTIdentifier.execute() :
identifier =
>> >>> >> >>contextPath
>> >>> >> >>: java.security.AccessControlException: access denied
>> >>> >> >>(java.lang.RuntimePermission
>> >>> >> >>accessClassInPackage.org.apache.catalina.core)
>> >>> >> >>10-Oct 02:45:21.774 |INFO |                       [/].log
>> >>> >> >>     |  Velocity   [warn]
>> >>> >> >>org.apache.velocity.runtime.exception.ReferenceException:

>>reference
>> >>>:
>> >>> >> >>template = /pages/frontend/home.vm [line 32,column
34] :
>> >>> >> >>$request.contextPath is not a valid reference.
>> >>> >> >>
>> >>> >> 
>> >>_________________________________________________________________
>> >>> >> >>Windows Live� Messenger has arrived. Click here to
download it 
>>for
>> >>> >>free!
>> >>> >> >>http://imagine-msn.com/messenger/launch80/?locale=en-gb
>> >>> >> >>
>> >>> >> >>
>> >>> >>
>> >>> 
>> >>---------------------------------------------------------------------
>> >>> >> >>To unsubscribe, e-mail:
>> >>>velocity-user-unsubscribe@jakarta.apache.org
>> >>> >> >>For additional commands, e-mail:
>> >>>velocity-user-help@jakarta.apache.org
>> >>> >> >>
>> >>> >> >>
>> >>> >> >
>> >>> >> >
>> >>> >> >--
>> >>> >> >Forio Business Simulations
>> >>> >> >
>> >>> >> >Will Glass-Husain
>> >>> >> >wglass@forio.com
>> >>> >> >www.forio.com
>> >>> >> >
>> >>> >>
>> >>> 
>> >---------------------------------------------------------------------
>> >>> >> >To unsubscribe, e-mail: 
>>velocity-user-unsubscribe@jakarta.apache.org
>> >>> >> >For additional commands, e-mail:
>> >>>velocity-user-help@jakarta.apache.org
>> >>> >> >
>> >>> >>
>> >>> >>_________________________________________________________________
>> >>> >>Be the first to hear what's new at MSN - sign up to our free
>> >>>newsletters!
>> >>> >>http://www.msn.co.uk/newsletters
>> >>> >>
>> >>> >>
>> >>> 
>> >>---------------------------------------------------------------------
>> >>> >>To unsubscribe, e-mail: 
>>velocity-user-unsubscribe@jakarta.apache.org
>> >>> >>For additional commands, e-mail: 
>>velocity-user-help@jakarta.apache.org
>> >>> >>
>> >>> >>
>> >>> >
>> >>> >
>> >>> >--
>> >>> >Forio Business Simulations
>> >>> >
>> >>> >Will Glass-Husain
>> >>> >wglass@forio.com
>> >>> >www.forio.com
>> >>> >
>> >>> 
>> >---------------------------------------------------------------------
>> >>> >To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
>> >>> >For additional commands, e-mail: 
>>velocity-user-help@jakarta.apache.org
>> >>> >
>> >>>
>> >>>_________________________________________________________________
>> >>>Download the new Windows Live Toolbar, including Desktop search!
>> >>>http://toolbar.live.com/?mkt=en-gb
>> >>>
>> >>>
>> >>>---------------------------------------------------------------------
>> >>>To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
>> >>>For additional commands, e-mail: velocity-user-help@jakarta.apache.org
>> >>>
>> >>>
>> >>
>> >>
>> >>--
>> >>Forio Business Simulations
>> >>
>> >>Will Glass-Husain
>> >>wglass@forio.com
>> >>www.forio.com
>> >>
>> >>---------------------------------------------------------------------
>> >>To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
>> >>For additional commands, e-mail: velocity-user-help@jakarta.apache.org
>> >>
>> >
>> >_________________________________________________________________
>> >Windows Live� Messenger has arrived. Click here to download it for 
>>free!
>> >http://imagine-msn.com/messenger/launch80/?locale=en-gb
>> >
>> >
>> >---------------------------------------------------------------------
>> >To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
>> >For additional commands, e-mail: velocity-user-help@jakarta.apache.org
>> >
>>
>>_________________________________________________________________
>>Be the first to hear what's new at MSN - sign up to our free newsletters!
>>http://www.msn.co.uk/newsletters
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: velocity-user-help@jakarta.apache.org
>>
>>
>
>
>--
>Forio Business Simulations
>
>Will Glass-Husain
>wglass@forio.com
>www.forio.com

_________________________________________________________________
Windows Live Messenger has arrived. Click here to download it for free! 
http://imagine-msn.com/messenger/launch80/?locale=en-gb


---------------------------------------------------------------------
To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: velocity-user-help@jakarta.apache.org


Mime
View raw message