velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robin Mannering" <robin_mannerin...@hotmail.com>
Subject Re: Velocity Config/Security Issue
Date Thu, 12 Oct 2006 12:12:45 GMT
Hi Will,

Thanks for your help, let me know if there is anything I can do.

I have a fear my hosting provider cannot commit the resources to solving 
this problem anytime soon.

Thanks
Robin


>From: "Will Glass-Husain" <wglass@forio.com>
>Reply-To: "Velocity Users List" <velocity-user@jakarta.apache.org>
>To: "Velocity Users List" <velocity-user@jakarta.apache.org>
>Subject: Re: Velocity Config/Security Issue
>Date: Thu, 12 Oct 2006 04:59:38 -0700
>
>I'll play around with this.  Might be a day or so.
>
>On 10/11/06, Robin Mannering <robin_mannering75@hotmail.com> wrote:
>>
>>Hi,
>>
>>Sorry I forgot the velocity version: Velocity 1.4
>>
>> >From: "Will Glass-Husain" <wglass@forio.com>
>> >Reply-To: "Velocity Users List" <velocity-user@jakarta.apache.org>
>> >To: "Velocity Users List" <velocity-user@jakarta.apache.org>
>> >Subject: Re: Velocity Config/Security Issue
>> >Date: Wed, 11 Oct 2006 15:54:51 -0700
>> >
>> >One more question.  What's your platform
>> >-- version of Tomcat
>> >-- version of JDK
>> >-- Win, Linux, etc?
>> >
>> >(and to repeat the last email for redundancy)
>> >-- VelocityServlet or VelocityViewServlet (with version)
>> >
>> >I run an instance of Tomcat with a security policy.  I've found
>> >numerous inconsistencies even within Tomcat that require security
>> >permissions to be opened up.  (There was a bug with the 4.1.x series
>> >for example for which I had to open up something similar).
>> >
>> >I tend to think you've hit a Tomcat bug triggered by the way Velocity
>> >accesses the request object.  Send the info back and we can dig into
>> >this.
>> >
>> >WILL
>> >
>> >On 10/11/06, Robin Mannering <robin_mannering75@hotmail.com> wrote:
>> >>Sorry, some more logging that might make it clearer.
>> >>
>> >>My local machine uses request objects:
>> >>org.apache.coyote.tomcat5.CoyoteRequestFacade@1fd25ce
>> >>and
>> >>org.apache.catalina.core.ApplicationHttpRequest@1e389b8
>> >>
>> >>Whereas the hosted server with the problem uses:
>> >>org.apache.catalina.connector.RequestFacade@121d818
>> >>and
>> >>org.apache.catalina.core.ApplicationHttpRequest@76f954
>> >>
>> >>
>> >>
>> >>Log 1 - From action class running on hosted server
>> >>--------------------------------------------------
>> >>11-Oct 17:52:49.647 |DEBUG|                TestAction.executeLogic
>> >>     | request = 'org.apache.catalina.connector.RequestFacade@121d818'
>> >>11-Oct 17:52:49.648 |DEBUG|                TestAction.executeLogic
>> >>     | request.getContextPath() = ''
>> >>11-Oct 17:52:49.648 |DEBUG|                TestAction.executeLogic
>> >>     | request.getMethod() = 'GET'
>> >>11-Oct 17:52:49.649 |DEBUG|                TestAction.executeLogic
>> >>     | request.getSession().getId() = 
>>'28536F4542A222DC6F0E6DE23442DC6D'
>> >>11-Oct 17:52:49.650 |DEBUG|                TestAction.executeLogic
>> >>     | request.getRequestURI() = '/test.htm'
>> >>11-Oct 17:52:49.650 |DEBUG|                TestAction.executeLogic
>> >>     | request.getRequestURL() = 
>>'http://www.chaletexplorer.com/test.htm'
>> >>11-Oct 17:52:49.651 |DEBUG|                TestAction.executeLogic
>> >>     | request.getServletPath() = '/test.htm'
>> >>
>> >>
>> >>Log 2 - From VM Template/page running on hosted server
>> >>------------------------------------------------------
>> >>request = 'org.apache.catalina.core.ApplicationHttpRequest@76f954'
>> >>request.contextPath = '/'
>> >>request.method = 'GET'
>> >>request.session.id = '$request.session.id'
>> >>request.requestURI = '//test.vm'
>> >>request.requestURL = 'http://www.chaletexplorer.com//test.vm'
>> >>request.servletPath = '/test.vm'
>> >>
>> >>
>> >>Log 3 - From action class (running on my local machine)
>> >>-------------------------------------------------------
>> >>
>> >>12-Oct 00:10:17.516 |DEBUG|                TestAction.executeLogic
>> >>     | request = 
>>'org.apache.coyote.tomcat5.CoyoteRequestFacade@1fd25ce'
>> >>12-Oct 00:10:17.516 |DEBUG|                TestAction.executeLogic
>> >>     | request.getContextPath() = '/indy'
>> >>12-Oct 00:10:17.516 |DEBUG|                TestAction.executeLogic
>> >>     | request.getMethod() = 'GET'
>> >>12-Oct 00:10:17.516 |DEBUG|                TestAction.executeLogic
>> >>     | request.getSession().getId() = 
>>'79E50B9B3F25A2897BF420521952D51F'
>> >>12-Oct 00:10:17.516 |DEBUG|                TestAction.executeLogic
>> >>     | request.getRequestURI() = '/indy/test.htm'
>> >>12-Oct 00:10:17.532 |DEBUG|                TestAction.executeLogic
>> >>     | request.getRequestURL() = 'http://localhost:8080/indy/test.htm'
>> >>12-Oct 00:10:17.532 |DEBUG|                TestAction.executeLogic
>> >>     | request.getServletPath() = '/test.htm'
>> >>
>> >>
>> >>Log 4 - From VM Template/page (running on my local machine)
>> >>-----------------------------------------------------------
>> >>request = 'org.apache.catalina.core.ApplicationHttpRequest@1e389b8'
>> >>request.contextPath = '/indy'
>> >>request.method = 'GET'
>> >>request.session.id = '79E50B9B3F25A2897BF420521952D51F'
>> >>request.requestURI = '/indy/test.vm'
>> >>request.requestURL = 'http://localhost:8080/indy/test.htm'
>> >>request.servletPath = '/test.vm'
>> >>
>> >>
>> >>
>> >>--------------------------------------------------
>> >>
>> >>
>> >> >From: "Robin Mannering" <robin_mannering75@hotmail.com>
>> >> >Reply-To: "Velocity Users List" <velocity-user@jakarta.apache.org>
>> >> >To: velocity-user@jakarta.apache.org
>> >> >Subject: Re: Velocity Config/Security Issue
>> >> >Date: Wed, 11 Oct 2006 22:08:29 +0000
>> >> >
>> >> >Hi all,
>> >> >
>> >> >Can anyone shed some light? I have some more facts now....
>> >> >
>> >> >The original problem was Velocity required permission on a core 
>>package
>> >> >within catalina. Is this because it couldn't find the 'correct' 
>>request
>> >> >object.
>> >> >
>> >> >Here are some logs, the first is from a Struts action class,  the 
>>second
>> >>is
>> >> >output from the velocity template forwarded to immediately after the
>> >>action
>> >> >class.  They refer to different request objects that ultimately give
>> >> >different values. Should the velocity template not also refer to
>> >> >org.apache.catalina.connector.RequestFacade@121d818 ??
>> >> >
>> >> >Any help/clues would be greatly appreciated.
>> >> >
>> >> >Log 1 - From action class
>> >> >----------------------------------
>> >> >11-Oct 17:52:49.647 |DEBUG|                TestAction.executeLogic
>> >> >     | request = 
>>'org.apache.catalina.connector.RequestFacade@121d818'
>> >> >11-Oct 17:52:49.648 |DEBUG|                TestAction.executeLogic
>> >> >     | request.getContextPath() = ''
>> >> >11-Oct 17:52:49.648 |DEBUG|                TestAction.executeLogic
>> >> >     | request.getMethod() = 'GET'
>> >> >11-Oct 17:52:49.649 |DEBUG|                TestAction.executeLogic
>> >> >     | request.getSession().getId() = 
>>'28536F4542A222DC6F0E6DE23442DC6D'
>> >> >11-Oct 17:52:49.650 |DEBUG|                TestAction.executeLogic
>> >> >     | request.getRequestURI() = '/test.htm'
>> >> >11-Oct 17:52:49.650 |DEBUG|                TestAction.executeLogic
>> >> >     | request.getRequestURL() =
>> >>'http://www.chaletexplorer.com/test.htm'
>> >> >11-Oct 17:52:49.651 |DEBUG|                TestAction.executeLogic
>> >> >     | request.getServletPath() = '/test.htm'
>> >> >
>> >> >Log 2 - From VM Template/page
>> >> >-----------------------------
>> >> >request = 'org.apache.catalina.core.ApplicationHttpRequest@76f954'
>> >> >
>> >> >request.contextPath = '/'
>> >> >
>> >> >request.method = 'GET'
>> >> >
>> >> >request.session.id = '$request.session.id'
>> >> >
>> >> >request.requestURI = '//test.vm'
>> >> >
>> >> >request.requestURL = 'http://www.chaletexplorer.com//test.vm'
>> >> >
>> >> >request.servletPath = '/test.vm'
>> >> >
>> >> >
>> >> >
>> >> >
>> >> >
>> >> >
>> >> >
>> >> >>From: "Will Glass-Husain" <wglass@forio.com>
>> >> >>Reply-To: "Velocity Users List" <velocity-user@jakarta.apache.org>
>> >> >>To: "Velocity Users List" <velocity-user@jakarta.apache.org>
>> >> >>Subject: Re: Velocity Config/Security Issue
>> >> >>Date: Wed, 11 Oct 2006 06:25:35 -0700
>> >> >>
>> >> >>I don't think it's Velocity which requires that permission, I'm
>> >> >>guessing it's the request object which is ultimately provided by
>> >> >>Tomcat...
>> >> >>
>> >> >>WILL
>> >> >>
>> >> >>On 10/11/06, Robin Mannering <robin_mannering75@hotmail.com>
wrote:
>> >> >>>Hi Will,
>> >> >>>
>> >> >>>Thanks for the links, I'll give them a thorough read.
>> >> >>>
>> >> >>>I've been working with the hosting company who set up the server
>> >>config
>> >> >>>and
>> >> >>>they have give the application permission to 
>>org.apache.catalina.core
>> >> >>>although they are troubled to do so.
>> >> >>>
>> >> >>>They seem very surprised that velocity requires this permission.
>> >> >>>
>> >> >>>Since they granted the permission, the problem has cleared up
and
>> >> >>>$request.contextPath now has a value within a velocity template
>> >>(although
>> >> >>>this has changed from an empty value to '/' so I need to make

>>source
>> >> >>>amendments.  Not a problem, just worrying it takes on a new
value 
>>in a
>> >> >>>different hosting environment.
>> >> >>>
>> >> >>>Thanks again for your help
>> >> >>>Robin
>> >> >>>
>> >> >>>
>> >> >>> >From: "Will Glass-Husain" <wglass@forio.com>
>> >> >>> >Reply-To: "Velocity Users List" 
>><velocity-user@jakarta.apache.org>
>> >> >>> >To: "Velocity Users List" <velocity-user@jakarta.apache.org>
>> >> >>> >Subject: Re: Velocity Config/Security Issue
>> >> >>> >Date: Tue, 10 Oct 2006 15:04:32 -0700
>> >> >>> >
>> >> >>> >What app server are you using?  This is a server configuration
>> >>issue.
>> >> >>> >If someone else set it up, you might also want to work
with them.
>> >> >>> >
>> >> >>> >If you're using Tomcat, check out:
>> >> >>> 
>> >http://tomcat.apache.org/tomcat-5.5-doc/security-manager-howto.html
>> >> >>> >
>> >> >>> >And you should read the Sun docs at:
>> >> >>> 
>> >http://java.sun.com/j2se/1.5.0/docs/guide/security/permissions.html
>> >> >>> >
>> >> >>> >WILL
>> >> >>> >
>> >> >>> >On 10/10/06, Robin Mannering <robin_mannering75@hotmail.com>

>>wrote:
>> >> >>> >>Hi Will,
>> >> >>> >>
>> >> >>> >>thanks for your help. Sorry. I'm new to permissions,
could you
>> >>explain
>> >> >>>a
>> >> >>> >>little more for me please.
>> >> >>> >>
>> >> >>> >>Thanks
>> >> >>> >>Robin
>> >> >>> >>
>> >> >>> >>
>> >> >>> >> >From: "Will Glass-Husain" <wglass@forio.com>
>> >> >>> >> >Reply-To: "Velocity Users List"
>> >><velocity-user@jakarta.apache.org>
>> >> >>> >> >To: "Velocity Users List" <velocity-user@jakarta.apache.org>
>> >> >>> >> >Subject: Re: Velocity Config/Security Issue
>> >> >>> >> >Date: Tue, 10 Oct 2006 08:24:57 -0700
>> >> >>> >> >
>> >> >>> >> >Looks like the security policy on your app server
needs to be
>> >>tuned.
>> >> >>> >> >Have you tried giving the permission 
>>java.lang.RuntimePermission
>> >>for
>> >> >>> >> >accessClassInPackage.org.apache.catalina.core?
>> >> >>> >> >
>> >> >>> >> >WILL
>> >> >>> >> >
>> >> >>> >> >On 10/10/06, Robin Mannering <robin_mannering75@hotmail.com>
>> >>wrote:
>> >> >>> >> >>Hi all,
>> >> >>> >> >>
>> >> >>> >> >>I'm new back on this list in a while, please
excuse if the
>> >> >>>following
>> >> >>> >> >>problem
>> >> >>> >> >>is obvious/has been posted before.
>> >> >>> >> >>
>> >> >>> >> >>I am transferring an existing site based on
Struts/Velocity 
>>to a
>> >> >>>new
>> >> >>> >>web
>> >> >>> >> >>hosting provider.  The application runs smoothly
on its 
>>current
>> >> >>>host.
>> >> >>> >> >>
>> >> >>> >> >>However, there seems to be one last stumbling
block with the 
>>new
>> >> >>>server
>> >> >>> >>in
>> >> >>> >> >>that the Struts object; 'request' appears
not to be in scope
>> >>within
>> >> >>> >> >>velocity
>> >> >>> >> >>pages (there may be others not in scope).
>> >> >>> >> >>
>> >> >>> >> >>I'm using the VelocityLayoutServlet if that
helps.
>> >> >>> >> >>
>> >> >>> >> >>I've attached a snippet of the log file that
points to the
>> >>problem
>> >> >>>I
>> >> >>> >> >>mentioned, notable the 'java.security.AccessControlException'
>> >>and
>> >> >>> >> >>'$request.contextPath is not a valid reference'
>> >> >>> >> >>
>> >> >>> >> >>All other velocity directives appear to be
functioning as
>> >>normal.
>> >> >>> >> >>
>> >> >>> >> >>Has anyone seen this behaviour before? Any
help would be 
>>greatly
>> >> >>> >> >>appreciated.
>> >> >>> >> >>
>> >> >>> >> >>Kind regards
>> >> >>> >> >>Robin
>> >> >>> >> >>
>> >> >>> >> >>10-Oct 02:45:21.752 |INFO |              
        [/].log
>> >> >>> >> >>     |  Velocity   [info] ResourceManager
: found
>> >> >>> >>/pages/frontend/home.vm
>> >> >>> >> >>with loader 
>>org.apache.velocity.tools.view.servlet.WebappLoader
>> >> >>> >> >>10-Oct 02:45:21.761 |INFO |              
        [/].log
>> >> >>> >> >>     |  Velocity  [error] PROGRAMMER ERROR
: 
>>PropertyExector() :
>> >> >>> >> >>java.security.AccessControlException: access
denied
>> >> >>> >> >>(java.lang.RuntimePermission
>> >> >>> >> >>accessClassInPackage.org.apache.catalina.core)
>> >> >>> >> >>10-Oct 02:45:21.763 |INFO |              
        [/].log
>> >> >>> >> >>     |  Velocity  [error] ASTIdentifier.execute()
: 
>>identifier =
>> >> >>> >> >>contextPath
>> >> >>> >> >>: java.security.AccessControlException: access
denied
>> >> >>> >> >>(java.lang.RuntimePermission
>> >> >>> >> >>accessClassInPackage.org.apache.catalina.core)
>> >> >>> >> >>10-Oct 02:45:21.764 |INFO |              
        [/].log
>> >> >>> >> >>     |  Velocity  [error] RHS of #set statement
is null. 
>>Context
>> >> >>>will
>> >> >>> >>not
>> >> >>> >> >>be
>> >> >>> >> >>modified. /pages/frontend/home.vm [line 9,
column 1]
>> >> >>> >> >>10-Oct 02:45:21.772 |INFO |              
        [/].log
>> >> >>> >> >>     |  Velocity  [error] PROGRAMMER ERROR
: 
>>PropertyExector() :
>> >> >>> >> >>java.security.AccessControlException: access
denied
>> >> >>> >> >>(java.lang.RuntimePermission
>> >> >>> >> >>accessClassInPackage.org.apache.catalina.core)
>> >> >>> >> >>10-Oct 02:45:21.773 |INFO |              
        [/].log
>> >> >>> >> >>     |  Velocity  [error] ASTIdentifier.execute()
: 
>>identifier =
>> >> >>> >> >>contextPath
>> >> >>> >> >>: java.security.AccessControlException: access
denied
>> >> >>> >> >>(java.lang.RuntimePermission
>> >> >>> >> >>accessClassInPackage.org.apache.catalina.core)
>> >> >>> >> >>10-Oct 02:45:21.774 |INFO |              
        [/].log
>> >> >>> >> >>     |  Velocity   [warn]
>> >> >>> >> >>org.apache.velocity.runtime.exception.ReferenceException:
>> >>reference
>> >> >>>:
>> >> >>> >> >>template = /pages/frontend/home.vm [line 32,column
34] :
>> >> >>> >> >>$request.contextPath is not a valid reference.
>> >> >>> >> >>
>> >> >>> >>
>> >> >>_________________________________________________________________
>> >> >>> >> >>Windows Live� Messenger has arrived. Click
here to download 
>>it
>> >>for
>> >> >>> >>free!
>> >> >>> >> >>http://imagine-msn.com/messenger/launch80/?locale=en-gb
>> >> >>> >> >>
>> >> >>> >> >>
>> >> >>> >>
>> >> >>>
>> >> 
>> >>---------------------------------------------------------------------
>> >> >>> >> >>To unsubscribe, e-mail:
>> >> >>>velocity-user-unsubscribe@jakarta.apache.org
>> >> >>> >> >>For additional commands, e-mail:
>> >> >>>velocity-user-help@jakarta.apache.org
>> >> >>> >> >>
>> >> >>> >> >>
>> >> >>> >> >
>> >> >>> >> >
>> >> >>> >> >--
>> >> >>> >> >Forio Business Simulations
>> >> >>> >> >
>> >> >>> >> >Will Glass-Husain
>> >> >>> >> >wglass@forio.com
>> >> >>> >> >www.forio.com
>> >> >>> >> >
>> >> >>> >>
>> >> >>>
>> >> >---------------------------------------------------------------------
>> >> >>> >> >To unsubscribe, e-mail:
>> >>velocity-user-unsubscribe@jakarta.apache.org
>> >> >>> >> >For additional commands, e-mail:
>> >> >>>velocity-user-help@jakarta.apache.org
>> >> >>> >> >
>> >> >>> >>
>> >> >>> 
>> >>_________________________________________________________________
>> >> >>> >>Be the first to hear what's new at MSN - sign up to
our free
>> >> >>>newsletters!
>> >> >>> >>http://www.msn.co.uk/newsletters
>> >> >>> >>
>> >> >>> >>
>> >> >>>
>> >> 
>> >>---------------------------------------------------------------------
>> >> >>> >>To unsubscribe, e-mail:
>> >>velocity-user-unsubscribe@jakarta.apache.org
>> >> >>> >>For additional commands, e-mail:
>> >>velocity-user-help@jakarta.apache.org
>> >> >>> >>
>> >> >>> >>
>> >> >>> >
>> >> >>> >
>> >> >>> >--
>> >> >>> >Forio Business Simulations
>> >> >>> >
>> >> >>> >Will Glass-Husain
>> >> >>> >wglass@forio.com
>> >> >>> >www.forio.com
>> >> >>> >
>> >> >>>
>> >> >---------------------------------------------------------------------
>> >> >>> >To unsubscribe, e-mail: 
>>velocity-user-unsubscribe@jakarta.apache.org
>> >> >>> >For additional commands, e-mail:
>> >>velocity-user-help@jakarta.apache.org
>> >> >>> >
>> >> >>>
>> >> >>>_________________________________________________________________
>> >> >>>Download the new Windows Live Toolbar, including Desktop search!
>> >> >>>http://toolbar.live.com/?mkt=en-gb
>> >> >>>
>> >> >>>
>> >> 
>> >>>---------------------------------------------------------------------
>> >> >>>To unsubscribe, e-mail: 
>>velocity-user-unsubscribe@jakarta.apache.org
>> >> >>>For additional commands, e-mail: 
>>velocity-user-help@jakarta.apache.org
>> >> >>>
>> >> >>>
>> >> >>
>> >> >>
>> >> >>--
>> >> >>Forio Business Simulations
>> >> >>
>> >> >>Will Glass-Husain
>> >> >>wglass@forio.com
>> >> >>www.forio.com
>> >> >>
>> >> 
>> >>---------------------------------------------------------------------
>> >> >>To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
>> >> >>For additional commands, e-mail: 
>>velocity-user-help@jakarta.apache.org
>> >> >>
>> >> >
>> >> >_________________________________________________________________
>> >> >Windows Live� Messenger has arrived. Click here to download it for
>> >>free!
>> >> >http://imagine-msn.com/messenger/launch80/?locale=en-gb
>> >> >
>> >> >
>> >> >---------------------------------------------------------------------
>> >> >To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
>> >> >For additional commands, e-mail: 
>>velocity-user-help@jakarta.apache.org
>> >> >
>> >>
>> >>_________________________________________________________________
>> >>Be the first to hear what's new at MSN - sign up to our free 
>>newsletters!
>> >>http://www.msn.co.uk/newsletters
>> >>
>> >>
>> >>---------------------------------------------------------------------
>> >>To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
>> >>For additional commands, e-mail: velocity-user-help@jakarta.apache.org
>> >>
>> >>
>> >
>> >
>> >--
>> >Forio Business Simulations
>> >
>> >Will Glass-Husain
>> >wglass@forio.com
>> >www.forio.com
>>
>>_________________________________________________________________
>>Windows Live� Messenger has arrived. Click here to download it for free!
>>http://imagine-msn.com/messenger/launch80/?locale=en-gb
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: velocity-user-help@jakarta.apache.org
>>
>>
>
>
>--
>Forio Business Simulations
>
>Will Glass-Husain
>wglass@forio.com
>www.forio.com

_________________________________________________________________
The new Windows Live Toolbar helps you guard against viruses 
http://toolbar.live.com/?mkt=en-gb


---------------------------------------------------------------------
To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: velocity-user-help@jakarta.apache.org


Mime
View raw message