You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Fredrik Andersson <fr...@hotmail.com> on 2013/11/26 21:43:24 UTC
Will I get sideeffects with: OgnlRuntime.setSecurityManager(null);
Hello!
(Hope this is the correct forum for this question)
I get this error in my hello-world-struts2-webapp when I run it in my tomcat with the catalina.policy.
(Btw my catalina.policy is edited a bit to match my production env: http://pastie.org/8510824)
/-- Encapsulated exception ------------\
java.lang.IllegalAccessException: Method [public void se.mycompany.web.actions.WelcomeUserAction.setUsername(java.lang.String)] cannot be accessed.
at ognl.OgnlRuntime.invokeMethod(OgnlRuntime.java:838)
at ognl.OgnlRuntime.callAppropriateMethod(OgnlRuntime.java:1280)
I found this solution:
https://groups.google.com/forum/#!msg/google-appengine-java/GQGLAxfyeBc/1NIfi8duNCEJ
It suggest that a listener does:
OgnlRuntime.setSecurityManager(null);
In the doc for OgnlRuntime it says:
Sets the SecurityManager that OGNL uses to determine permissions for invoking methods.
But is this really a correct solution to set it to null?
To me it doesn't sound good to have the securitymanager set to null, what security holes does that create?
Could this be solved with some extra grants in the catalina.policy-file instead?
Best regards
Fredrik
Re: Will I get sideeffects with: OgnlRuntime.setSecurityManager(null);
Posted by Lukasz Lenart <lu...@apache.org>.
2013/11/27 Fredrik Andersson <fr...@hotmail.com>:
> I then guess that you agree with me that if it is possible (if you got permissions to add permissions) to set the permissions like this instead of the OgnlRuntime.setSecurityManager(null);
>
> Do you agree with me?
Yes, for sure :-)
There was even a dedicated SecurityManager developed by Jeff Black.
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
RE: Will I get sideeffects with:
OgnlRuntime.setSecurityManager(null);
Posted by Fredrik Andersson <fr...@hotmail.com>.
Hello!
Thanks for all help guys!
The permissions worked perfectly, really interesting.
I then guess that you agree with me that if it is possible (if you got permissions to add permissions) to set the permissions like this instead of the OgnlRuntime.setSecurityManager(null);
Do you agree with me?
Best regards
Fredrik
> From: lukaszlenart@apache.org
> Date: Tue, 26 Nov 2013 22:35:53 +0100
> Subject: Re: Will I get sideeffects with: OgnlRuntime.setSecurityManager(null);
> To: user@struts.apache.org
>
> This should help [1] and you must add these (I cannot find the correct
> link with exact example for Struts2)
>
> permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
> permission java.lang.RuntimePermission "*";
> permission ognl.OgnlInvokePermission "*";
>
> [1] https://confluence.atlassian.com/display/CONF29/Java+Policy+Security+with+Confluence
>
>
> Regards
>
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
>
> 2013/11/26 Fredrik Andersson <fr...@hotmail.com>:
> > Hello!
> >
> > (Hope this is the correct forum for this question)
> >
> >
> >
> > I get this error in my hello-world-struts2-webapp when I run it in my tomcat with the catalina.policy.
> >
> > (Btw my catalina.policy is edited a bit to match my production env: http://pastie.org/8510824)
> >
> >
> >
> > /-- Encapsulated exception ------------\
> > java.lang.IllegalAccessException: Method [public void se.mycompany.web.actions.WelcomeUserAction.setUsername(java.lang.String)] cannot be accessed.
> > at ognl.OgnlRuntime.invokeMethod(OgnlRuntime.java:838)
> > at ognl.OgnlRuntime.callAppropriateMethod(OgnlRuntime.java:1280)
> >
> >
> >
> >
> > I found this solution:
> >
> > https://groups.google.com/forum/#!msg/google-appengine-java/GQGLAxfyeBc/1NIfi8duNCEJ
> >
> >
> >
> > It suggest that a listener does:
> >
> > OgnlRuntime.setSecurityManager(null);
> >
> >
> >
> > In the doc for OgnlRuntime it says:
> >
> > Sets the SecurityManager that OGNL uses to determine permissions for invoking methods.
> >
> >
> >
> > But is this really a correct solution to set it to null?
> >
> > To me it doesn't sound good to have the securitymanager set to null, what security holes does that create?
> >
> >
> >
> > Could this be solved with some extra grants in the catalina.policy-file instead?
> >
> >
> >
> >
> >
> > Best regards
> >
> > Fredrik
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
Re: Will I get sideeffects with: OgnlRuntime.setSecurityManager(null);
Posted by Lukasz Lenart <lu...@apache.org>.
This should help [1] and you must add these (I cannot find the correct
link with exact example for Struts2)
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
permission java.lang.RuntimePermission "*";
permission ognl.OgnlInvokePermission "*";
[1] https://confluence.atlassian.com/display/CONF29/Java+Policy+Security+with+Confluence
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
2013/11/26 Fredrik Andersson <fr...@hotmail.com>:
> Hello!
>
> (Hope this is the correct forum for this question)
>
>
>
> I get this error in my hello-world-struts2-webapp when I run it in my tomcat with the catalina.policy.
>
> (Btw my catalina.policy is edited a bit to match my production env: http://pastie.org/8510824)
>
>
>
> /-- Encapsulated exception ------------\
> java.lang.IllegalAccessException: Method [public void se.mycompany.web.actions.WelcomeUserAction.setUsername(java.lang.String)] cannot be accessed.
> at ognl.OgnlRuntime.invokeMethod(OgnlRuntime.java:838)
> at ognl.OgnlRuntime.callAppropriateMethod(OgnlRuntime.java:1280)
>
>
>
>
> I found this solution:
>
> https://groups.google.com/forum/#!msg/google-appengine-java/GQGLAxfyeBc/1NIfi8duNCEJ
>
>
>
> It suggest that a listener does:
>
> OgnlRuntime.setSecurityManager(null);
>
>
>
> In the doc for OgnlRuntime it says:
>
> Sets the SecurityManager that OGNL uses to determine permissions for invoking methods.
>
>
>
> But is this really a correct solution to set it to null?
>
> To me it doesn't sound good to have the securitymanager set to null, what security holes does that create?
>
>
>
> Could this be solved with some extra grants in the catalina.policy-file instead?
>
>
>
>
>
> Best regards
>
> Fredrik
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Will I get sideeffects with: OgnlRuntime.setSecurityManager(null);
Posted by Damian Blazejewski <da...@gmail.com>.
What is the access modifier of method WelcomeUserAction.setUsername()?
Pozdrawiam/Best regards,
Damian Błażejewski
dblazejewski.com
2013/11/26 Fredrik Andersson <fr...@hotmail.com>
> Hello!
>
> (Hope this is the correct forum for this question)
>
>
>
> I get this error in my hello-world-struts2-webapp when I run it in my
> tomcat with the catalina.policy.
>
> (Btw my catalina.policy is edited a bit to match my production env:
> http://pastie.org/8510824)
>
>
>
> /-- Encapsulated exception ------------\
> java.lang.IllegalAccessException: Method [public void
> se.mycompany.web.actions.WelcomeUserAction.setUsername(java.lang.String)]
> cannot be accessed.
> at ognl.OgnlRuntime.invokeMethod(OgnlRuntime.java:838)
> at ognl.OgnlRuntime.callAppropriateMethod(OgnlRuntime.java:1280)
>
>
>
>
> I found this solution:
>
>
> https://groups.google.com/forum/#!msg/google-appengine-java/GQGLAxfyeBc/1NIfi8duNCEJ
>
>
>
> It suggest that a listener does:
>
> OgnlRuntime.setSecurityManager(null);
>
>
>
> In the doc for OgnlRuntime it says:
>
> Sets the SecurityManager that OGNL uses to determine permissions for
> invoking methods.
>
>
>
> But is this really a correct solution to set it to null?
>
> To me it doesn't sound good to have the securitymanager set to null, what
> security holes does that create?
>
>
>
> Could this be solved with some extra grants in the catalina.policy-file
> instead?
>
>
>
>
>
> Best regards
>
> Fredrik
>