struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Fredrik Andersson <fredan...@hotmail.com>
Subject RE: Will I get sideeffects with: OgnlRuntime.setSecurityManager(null);
Date Wed, 27 Nov 2013 20:19:12 GMT
Hello!

Thanks for all help guys!

 

The permissions worked perfectly, really interesting.

 

I then guess that you agree with me that if it is possible (if you got permissions to add
permissions) to set the permissions like this instead of the OgnlRuntime.setSecurityManager(null);


Do you agree with me?

Best regards

Fredrik

  

 

> From: lukaszlenart@apache.org
> Date: Tue, 26 Nov 2013 22:35:53 +0100
> Subject: Re: Will I get sideeffects with: OgnlRuntime.setSecurityManager(null);
> To: user@struts.apache.org
> 
> This should help [1] and you must add these (I cannot find the correct
> link with exact example for Struts2)
> 
> permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
> permission java.lang.RuntimePermission "*";
> permission ognl.OgnlInvokePermission "*";
> 
> [1] https://confluence.atlassian.com/display/CONF29/Java+Policy+Security+with+Confluence
> 
> 
> Regards
> 
> -- 
> Ɓukasz
> + 48 606 323 122 http://www.lenart.org.pl/
> 
> 
> 2013/11/26 Fredrik Andersson <fredand44@hotmail.com>:
> > Hello!
> >
> > (Hope this is the correct forum for this question)
> >
> >
> >
> > I get this error in my hello-world-struts2-webapp when I run it in my tomcat with
the catalina.policy.
> >
> > (Btw my catalina.policy is edited a bit to match my production env: http://pastie.org/8510824)
> >
> >
> >
> > /-- Encapsulated exception ------------\
> > java.lang.IllegalAccessException: Method [public void se.mycompany.web.actions.WelcomeUserAction.setUsername(java.lang.String)]
cannot be accessed.
> > at ognl.OgnlRuntime.invokeMethod(OgnlRuntime.java:838)
> > at ognl.OgnlRuntime.callAppropriateMethod(OgnlRuntime.java:1280)
> >
> >
> >
> >
> > I found this solution:
> >
> > https://groups.google.com/forum/#!msg/google-appengine-java/GQGLAxfyeBc/1NIfi8duNCEJ
> >
> >
> >
> > It suggest that a listener does:
> >
> > OgnlRuntime.setSecurityManager(null);
> >
> >
> >
> > In the doc for OgnlRuntime it says:
> >
> > Sets the SecurityManager that OGNL uses to determine permissions for invoking methods.
> >
> >
> >
> > But is this really a correct solution to set it to null?
> >
> > To me it doesn't sound good to have the securitymanager set to null, what security
holes does that create?
> >
> >
> >
> > Could this be solved with some extra grants in the catalina.policy-file instead?
> >
> >
> >
> >
> >
> > Best regards
> >
> > Fredrik
> >
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
> 
 		 	   		  
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message