On 24/08/2009, at 1:29 PM, Jeromy Evans wrote:
As a work-around (guess), I changed it to cimpl.getDeclaredClasses()
instead which is permitted (I don't know if this has the same effect
on the ClassLoader). That got me past the issue above, but the same
SecurityException occurs in XWork's ContainerImpl
$ConstructorInjector.findConstructorIn():
SecurityException: Unable to get members for Class
o.a.s.v.v.VelocityManager
This exception occurs within Google App Engine because XWork eagerly
loads the VelocityManager Class for the bean struts-default.xml.
VelocityManager uses the VelocityToolbox optional dependency (in
velocity-tools) which is not deployed with the application by
default. I presume the GAE ClassLoader checks all imported classes
against the whitelist and fails if the class is not found.
It's overcome by deploying the application velocity.
I now have Struts 2.1.8-snapshot with Convention, Sitemesh and JSON,
within a Guice2 servlet filter for IOC, running within GAE.
The mandatory work-around are:
- to still use a ServletContextListener to disable the OgnlRuntime
security manager. If not done, an IllegalAccessException occurs in
OgnlUtil.setProperty(String) at run-time. This exception is
swallowed, but it typically results in an NPE in
ServletRedirectResult.isPathUrl(String) because location cannot be set.
- the velocity dependencies need to be deployed with the
application even if not in use. If not done, a security exception
occurs while getting the members of VelocityManager because
VelocityManager imports VelocityToolbox and VelocityEngine.
I don't think any S2 code changes are required at this time.
regards,
Jeromy Evans
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org
