You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@velocity.apache.org by Will Glass-Husain <wg...@gmail.com> on 2010/03/31 16:47:40 UTC
Re: BuildingSecureWebApplications - restrictions using
SecurityManager with Velocity 1.3.1
Hi,
I wrote that doc originally.
I did manage to run Tomcat under a Security Manager. It was a hassle -- a
lot of framework libraries (I was using Hibernate and Velocity, among
others) use reflection which can fail under strict SecurityManager
settings. I had to go through a trial-and-error process in which I kept
getting access errors for specific classes, permitting them in the security
settings, and then trying again. Unfortunately, I don't have the list of
specific settings I used.
I've been less concerned about this issue ever since Velocity introduced the
SecureIntrospector which prevents template authors from calling class loader
related method calls.
WILL
On Wed, Mar 31, 2010 at 7:37 AM, sebb <se...@gmail.com> wrote:
> The Wiki page
>
> http://wiki.apache.org/velocity/BuildingSecureWebApplications
>
> mentions some restrictions on using SecurityManager with Velocity 1.3.1.
>
> The current version of the engine is 1.6.2 - does it also have such
> restrictions?
> Or perhaps some of them have been eliminated?
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@velocity.apache.org
> For additional commands, e-mail: user-help@velocity.apache.org
>
>