struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeromy Evans <>
Subject Re: Convention/XWork on GAE: unable to get members (SecurityException)
Date Mon, 24 Aug 2009 08:11:12 GMT

On 24/08/2009, at 1:29 PM, Jeromy Evans wrote:

> As a work-around (guess), I changed it to cimpl.getDeclaredClasses()  
> instead which is permitted (I don't know if this has the same effect  
> on the ClassLoader).  That got me past the issue above, but the same  
> SecurityException occurs in XWork's ContainerImpl 
> $ConstructorInjector.findConstructorIn():
> SecurityException: Unable to get members for Class  
> o.a.s.v.v.VelocityManager

This exception occurs within Google App Engine because XWork eagerly  
loads the VelocityManager Class for the bean struts-default.xml.   
VelocityManager uses the VelocityToolbox optional dependency (in  
velocity-tools) which is not deployed with the application by  
default.  I presume the GAE ClassLoader checks all imported classes  
against the whitelist and fails if the class is not found.
It's overcome by deploying the application velocity.

I now have Struts 2.1.8-snapshot with Convention, Sitemesh and JSON,  
within a Guice2 servlet filter for IOC, running within GAE.

The mandatory work-around are:
   - to still use a ServletContextListener to disable the OgnlRuntime  
security manager.  If not done, an IllegalAccessException occurs in  
OgnlUtil.setProperty(String) at run-time.  This exception is  
swallowed, but it typically results in an NPE in  
ServletRedirectResult.isPathUrl(String) because location cannot be set.
   - the velocity dependencies need to be deployed with the  
application even if not in use.  If not done, a security exception  
occurs while getting the members of VelocityManager because  
VelocityManager imports VelocityToolbox and VelocityEngine.

I don't think any S2 code changes are required at this time.

  Jeromy Evans

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message