struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Philip Luppens <>
Subject Re: Convention/XWork on GAE: unable to get members (SecurityException)
Date Mon, 24 Aug 2009 08:41:18 GMT
On Mon, Aug 24, 2009 at 10:11 AM, Jeromy
Evans<> wrote:
> On 24/08/2009, at 1:29 PM, Jeromy Evans wrote:
>> As a work-around (guess), I changed it to cimpl.getDeclaredClasses()
>> instead which is permitted (I don't know if this has the same effect on the
>> ClassLoader).  That got me past the issue above, but the same
>> SecurityException occurs in XWork's
>> ContainerImpl$ConstructorInjector.findConstructorIn():
>> SecurityException: Unable to get members for Class
>> o.a.s.v.v.VelocityManager
> This exception occurs within Google App Engine because XWork eagerly loads
> the VelocityManager Class for the bean struts-default.xml.  VelocityManager
> uses the VelocityToolbox optional dependency (in velocity-tools) which is
> not deployed with the application by default.  I presume the GAE ClassLoader
> checks all imported classes against the whitelist and fails if the class is
> not found.
> It's overcome by deploying the application velocity.
> I now have Struts 2.1.8-snapshot with Convention, Sitemesh and JSON, within
> a Guice2 servlet filter for IOC, running within GAE.
> The mandatory work-around are:
>  - to still use a ServletContextListener to disable the OgnlRuntime security
> manager.  If not done, an IllegalAccessException occurs in
> OgnlUtil.setProperty(String) at run-time.  This exception is swallowed, but
> it typically results in an NPE in ServletRedirectResult.isPathUrl(String)
> because location cannot be set.
>  - the velocity dependencies need to be deployed with the application even
> if not in use.  If not done, a security exception occurs while getting the
> members of VelocityManager because VelocityManager imports VelocityToolbox
> and VelocityEngine.
> I don't think any S2 code changes are required at this time.
> regards,
>  Jeromy Evans

Just to make sure it doesn't get lost, I've added it to the FAQ on GAE.

Feel free to clean up/clarify.


"We cannot change the cards we are dealt, just how we play the hand."
- Randy Pausch

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message