In the end I proceeded with the OgnlRuntime.setSecurityManager(null) option. It seems like a bad idea but it allows me to proceed for now.
Here's the code I used:
public class MyContextListener implements ServletContextListener {
@Override
public void contextDestroyed(ServletContextEvent arg0) {
}
@Override
public void contextInitialized(ServletContextEvent arg0) {
OgnlRuntime.setSecurityManager(null);
}
}
And in my web.xml I added:
<listener>
<listener-class>com.myapp.MyContextListener</listener-class>
</listener>