struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <lukaszlen...@apache.org>
Subject Re: Will I get sideeffects with: OgnlRuntime.setSecurityManager(null);
Date Tue, 26 Nov 2013 21:35:53 GMT
This should help [1] and you must add these (I cannot find the correct
link with exact example for Struts2)

permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
permission java.lang.RuntimePermission "*";
permission ognl.OgnlInvokePermission "*";

[1] https://confluence.atlassian.com/display/CONF29/Java+Policy+Security+with+Confluence


Regards

-- 
Ɓukasz
+ 48 606 323 122 http://www.lenart.org.pl/


2013/11/26 Fredrik Andersson <fredand44@hotmail.com>:
> Hello!
>
> (Hope this is the correct forum for this question)
>
>
>
> I get this error in my hello-world-struts2-webapp when I run it in my tomcat with the
catalina.policy.
>
> (Btw my catalina.policy is edited a bit to match my production env: http://pastie.org/8510824)
>
>
>
> /-- Encapsulated exception ------------\
> java.lang.IllegalAccessException: Method [public void se.mycompany.web.actions.WelcomeUserAction.setUsername(java.lang.String)]
cannot be accessed.
> at ognl.OgnlRuntime.invokeMethod(OgnlRuntime.java:838)
> at ognl.OgnlRuntime.callAppropriateMethod(OgnlRuntime.java:1280)
>
>
>
>
> I found this solution:
>
> https://groups.google.com/forum/#!msg/google-appengine-java/GQGLAxfyeBc/1NIfi8duNCEJ
>
>
>
> It suggest that a listener does:
>
> OgnlRuntime.setSecurityManager(null);
>
>
>
> In the doc for OgnlRuntime it says:
>
> Sets the SecurityManager that OGNL uses to determine permissions for invoking methods.
>
>
>
> But is this really a correct solution to set it to null?
>
> To me it doesn't sound good to have the securitymanager set to null, what security holes
does that create?
>
>
>
> Could this be solved with some extra grants in the catalina.policy-file instead?
>
>
>
>
>
> Best regards
>
> Fredrik
>

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message