...
The mandatory work-around are:
- to still use a ServletContextListener to disable the OgnlRuntime security manager. If not done, an IllegalAccessException occurs in OgnlUtil.setProperty(String) at run-time. This exception is swallowed, but it typically results in an NPE in ServletRedirectResult.isPathUrl(String) because location cannot be set.
- the velocity dependencies need to be deployed with the application even if not in use. If not done, a security exception occurs while getting the members of VelocityManager because VelocityManager imports VelocityToolbox and VelocityEngine.
I don't think any S2 code changes are required at this time.