Version 1.1 may require property permissions and OGNL permissions that are not listed here. Please update this page if you know more about it.

For version 1.2 and up, you seem to need (Tomcat conf/catalina.policy syntax):

// For substitution of one object for another during serialization
// or deserialization. This is used in ReplaceObjectOutputStream,
// which is used for page versioning (undoing changes).
permission java.io.SerializablePermission "enableSubstitution";

// For FilePageStore's custom serialization
permission java.io.SerializablePermission "enableSubclassImplementation";

// For crypted URL functionality (see WebRequestWithCryptedUrl).
permission java.security.SecurityPermission "insertProvider.SunJCE";

// The following was required to get Wicket, at least the examples, to work at all
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";

If you are doing file uploads, you need to grant (if not already granted)

permission java.util.PropertyPermission "java.io.tmpdir", "read";

and for Wicket properties to work (currently only the development/ production flag falls in this category, which if provided as a system property -Dwicket.configuration=(development/deployment) will override any set in the web.xml file), you'll need to add

permission java.util.PropertyPermission "wicket.*", "read";

I added the following to my /etc/tomcat5.5/policy.d/50user.policy to make my small Wicket application work on Tomcat 5.5 on Debian:

grant codeBase "jar:file:/var/lib/tomcat5.5/webapps/simile-timeline-demo/WEB-INF/lib/wicket-1.3.5.jar!/-" {
 permission java.util.PropertyPermission "org.apache.wicket.*", "read";

 permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
};

grant codeBase "file:/var/lib/tomcat5.5/webapps/simile-timeline-demo/WEB-INF/classes/-" {
 permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
};
  • No labels