Return-Path: X-Original-To: apmail-struts-user-archive@www.apache.org Delivered-To: apmail-struts-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id E22C31052A for ; Wed, 27 Nov 2013 20:19:41 +0000 (UTC) Received: (qmail 3651 invoked by uid 500); 27 Nov 2013 20:19:39 -0000 Delivered-To: apmail-struts-user-archive@struts.apache.org Received: (qmail 3547 invoked by uid 500); 27 Nov 2013 20:19:39 -0000 Mailing-List: contact user-help@struts.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Help: List-Post: List-Id: "Struts Users Mailing List" Reply-To: "Struts Users Mailing List" Delivered-To: mailing list user@struts.apache.org Received: (qmail 3538 invoked by uid 99); 27 Nov 2013 20:19:38 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 27 Nov 2013 20:19:38 +0000 X-ASF-Spam-Status: No, hits=2.4 required=5.0 tests=FREEMAIL_ENVFROM_END_DIGIT,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of fredand44@hotmail.com designates 157.55.1.162 as permitted sender) Received: from [157.55.1.162] (HELO dub0-omc2-s23.dub0.hotmail.com) (157.55.1.162) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 27 Nov 2013 20:19:34 +0000 Received: from DUB112-W111 ([157.55.1.138]) by dub0-omc2-s23.dub0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Wed, 27 Nov 2013 12:19:12 -0800 X-TMN: [udQuefwDpKJ7JVnFDAq7WDhZliicLOv8] X-Originating-Email: [fredand44@hotmail.com] Message-ID: Content-Type: multipart/alternative; boundary="_5d60e2a2-5cd5-4c02-b196-dc60319f12e4_" From: Fredrik Andersson To: Struts Users Mailing List Subject: RE: Will I get sideeffects with: OgnlRuntime.setSecurityManager(null); Date: Wed, 27 Nov 2013 20:19:12 +0000 Importance: Normal In-Reply-To: References: , MIME-Version: 1.0 X-OriginalArrivalTime: 27 Nov 2013 20:19:12.0397 (UTC) FILETIME=[EFB773D0:01CEEBAD] X-Virus-Checked: Checked by ClamAV on apache.org --_5d60e2a2-5cd5-4c02-b196-dc60319f12e4_ Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable Hello! Thanks for all help guys! =20 The permissions worked perfectly=2C really interesting. =20 I then guess that you agree with me that if it is possible (if you got perm= issions to add permissions) to set the permissions like this instead of the= OgnlRuntime.setSecurityManager(null)=3B Do you agree with me? Best regards Fredrik =20 =20 > From: lukaszlenart@apache.org > Date: Tue=2C 26 Nov 2013 22:35:53 +0100 > Subject: Re: Will I get sideeffects with: OgnlRuntime.setSecurityManager(= null)=3B > To: user@struts.apache.org >=20 > This should help [1] and you must add these (I cannot find the correct > link with exact example for Struts2) >=20 > permission java.lang.reflect.ReflectPermission "suppressAccessChecks"=3B > permission java.lang.RuntimePermission "*"=3B > permission ognl.OgnlInvokePermission "*"=3B >=20 > [1] https://confluence.atlassian.com/display/CONF29/Java+Policy+Security+= with+Confluence >=20 >=20 > Regards >=20 > --=20 > =A3ukasz > + 48 606 323 122 http://www.lenart.org.pl/ >=20 >=20 > 2013/11/26 Fredrik Andersson : > > Hello! > > > > (Hope this is the correct forum for this question) > > > > > > > > I get this error in my hello-world-struts2-webapp when I run it in my t= omcat with the catalina.policy. > > > > (Btw my catalina.policy is edited a bit to match my production env: htt= p://pastie.org/8510824) > > > > > > > > /-- Encapsulated exception ------------\ > > java.lang.IllegalAccessException: Method [public void se.mycompany.web.= actions.WelcomeUserAction.setUsername(java.lang.String)] cannot be accessed= . > > at ognl.OgnlRuntime.invokeMethod(OgnlRuntime.java:838) > > at ognl.OgnlRuntime.callAppropriateMethod(OgnlRuntime.java:1280) > > > > > > > > > > I found this solution: > > > > https://groups.google.com/forum/#!msg/google-appengine-java/GQGLAxfyeBc= /1NIfi8duNCEJ > > > > > > > > It suggest that a listener does: > > > > OgnlRuntime.setSecurityManager(null)=3B > > > > > > > > In the doc for OgnlRuntime it says: > > > > Sets the SecurityManager that OGNL uses to determine permissions for in= voking methods. > > > > > > > > But is this really a correct solution to set it to null? > > > > To me it doesn't sound good to have the securitymanager set to null=2C = what security holes does that create? > > > > > > > > Could this be solved with some extra grants in the catalina.policy-file= instead? > > > > > > > > > > > > Best regards > > > > Fredrik > > >=20 > --------------------------------------------------------------------- > To unsubscribe=2C e-mail: user-unsubscribe@struts.apache.org > For additional commands=2C e-mail: user-help@struts.apache.org >=20 = --_5d60e2a2-5cd5-4c02-b196-dc60319f12e4_--