You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@struts.apache.org by Philip Tsai <ts...@cs.stanford.edu> on 2002/11/28 05:01:45 UTC

AccessControlException when plugging in Tiles with Struts 1.1b2

Hello list!

I have gotten frustrated enough that I am wondering whether anyone here can
enlighten me on this bizarre problem.

I am using the standard web.xml and struts-config.xml without any modification;
for example, those that come with the blank application.  When I start Tomcat
with Struts 1.1b2 and Tiles Plugin on RedHat 7.1 and JDK 1.4 (on my host's
webserver, which uses Ensim's virtual private server),  catalina.out shows the
following exception trace.  When I comment out the Tiles plugin in
struts-config.xml, the exception disappears and everything runs fine .  So I
know this security problem must be related with the Tiles plugin.  I have tried
tweaking Java/Tomcat's policy file to no avail (e.g. granting everything
AllPermission in catalina.policy doesn't seem to help; but again, perhaps I am
not doing this correctly).  If this problem can be resolved by tweaking the
Java/Tomcat policy files appropriately, can any java-security-experienced user
help shed some light?  Where and what sorts of security policy entries should I
add?

What is odd, though, is that using the same Struts and Tiles setup on my own W2K
machine, everything starts beautifully.  No tweaking of anything is necessary.

Thanks a bunch!
Philip


java.security.AccessControlException: access denied (java.lang.RuntimePermission
 accessDeclaredMembers)
        at java.security.AccessControlContext.checkPermission(AccessControlConte
xt.java:270)
        at java.security.AccessController.checkPermission(AccessController.java:
401)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:542)
        at java.lang.SecurityManager.checkMemberAccess(SecurityManager.java:1662
)
        at java.lang.Class.checkMemberAccess(Class.java:1401)
        at java.lang.Class.getDeclaredMethods(Class.java:1101)
        at org.apache.commons.beanutils.MappedPropertyDescriptor$1.run(MappedPro
pertyDescriptor.java:381)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.apache.commons.beanutils.MappedPropertyDescriptor.getPublicDeclar
edMethods(MappedPropertyDescriptor.java:378)
        at org.apache.commons.beanutils.MappedPropertyDescriptor.internalFindMet
hod(MappedPropertyDescriptor.java:448)
        at org.apache.commons.beanutils.MappedPropertyDescriptor.findMethod(Mapp
edPropertyDescriptor.java:522)
        at org.apache.commons.beanutils.MappedPropertyDescriptor.<init>(MappedPr
opertyDescriptor.java:149)
        at org.apache.commons.beanutils.PropertyUtils.getPropertyDescriptor(Prop
ertyUtils.java:883)
        at org.apache.commons.beanutils.BeanUtils.setProperty(BeanUtils.java:846
)
        at org.apache.commons.beanutils.BeanUtils.populate(BeanUtils.java:726)
        at org.apache.struts.action.ActionServlet.initApplicationPlugIns(ActionS
ervlet.java:989)
        at org.apache.struts.action.ActionServlet.init(ActionServlet.java:458)
        at javax.servlet.GenericServlet.init(GenericServlet.java:258)
        at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.
java:916)
        at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:80
8)
        at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContex
t.java:3266)
        at org.apache.catalina.core.StandardContext.start(StandardContext.java:3
395)
        at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1123)
        at org.apache.catalina.core.StandardHost.start(StandardHost.java:614)
        at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1123)
        at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:343
)
        at org.apache.catalina.core.StandardService.start(StandardService.java:3
88)
        at org.apache.catalina.core.StandardServer.start(StandardServer.java:506
)
        at org.apache.catalina.startup.Catalina.start(Catalina.java:781)
        at org.apache.catalina.startup.Catalina.execute(Catalina.java:681)
        at org.apache.catalina.startup.Catalina.process(Catalina.java:179)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
sorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:324)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:243)



--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: AccessControlException when plugging in Tiles with Struts 1.1b2

Posted by "Craig R. McClanahan" <cr...@apache.org>.


On Wed, 27 Nov 2002, Philip Tsai wrote:

> Date: Wed, 27 Nov 2002 20:01:45 -0800
> From: Philip Tsai <ts...@cs.stanford.edu>
> Reply-To: Struts Users Mailing List <st...@jakarta.apache.org>
> To: struts-user@jakarta.apache.org
> Subject: AccessControlException when plugging in Tiles with Struts 1.1b2
>
> Hello list!
>
> I have gotten frustrated enough that I am wondering whether anyone here can
> enlighten me on this bizarre problem.
>
> I am using the standard web.xml and struts-config.xml without any modification;
> for example, those that come with the blank application.  When I start Tomcat
> with Struts 1.1b2 and Tiles Plugin on RedHat 7.1 and JDK 1.4 (on my host's
> webserver, which uses Ensim's virtual private server),  catalina.out shows the
> following exception trace.  When I comment out the Tiles plugin in
> struts-config.xml, the exception disappears and everything runs fine .  So I
> know this security problem must be related with the Tiles plugin.  I have tried
> tweaking Java/Tomcat's policy file to no avail (e.g. granting everything
> AllPermission in catalina.policy doesn't seem to help; but again, perhaps I am
> not doing this correctly).  If this problem can be resolved by tweaking the
> Java/Tomcat policy files appropriately, can any java-security-experienced user
> help shed some light?  Where and what sorts of security policy entries should I
> add?
>
> What is odd, though, is that using the same Struts and Tiles setup on my own W2K
> machine, everything starts beautifully.  No tweaking of anything is necessary.
>

It looks like your ISP is running Tomcat with a SecurityManager in place
-- a very sensible choice on their part.  It looks, in particular, like
they have tightened the default security manager permissions (which let
you run Struts apps with no problems).  It would be worth talking to the
customer support folks there to see what they changed, and to enable some
debugging that will help determine which permission needs to be allowed
(probably one of the "accessClassInPackage" permissions, but there's no
way to tell from just the stack trace.

> Thanks a bunch!
> Philip

Craig


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>