PACL, issue with SecurityManager
Description
Attachments
- 07 Nov 2012, 04:49 AM
- 07 Nov 2012, 04:49 AM
relates
Activity
Serena Song January 29, 2013 at 1:57 AM
PASSED Manual Testing using the following steps:
Strat up liferay.
Navigate to ..\portlets\test-pacl-portlet\docroot.
Open view.jsp file and add following code to it.
<% Mac mac = Mac.getInstance("HMACSHA1"); %>Deploy test-pacl-portlet and it's dependencies
Add test-pacl-portlet to a page
Logout
Restart server
Reproduced on:
Tomcat 7.0 + MySQL 5. Portal 6.1.x EE GIT ID: 9163c531df1cb05b668a98413410989f1f231d25.
Plugin 6.1.x EE GIT ID: 0ff0a9ee0a616727d2a42edb8811a3ed41a336c1.
It will throw exception.
Fixed on:
Tomcat 7.0 + MySQL 5. Portal 6.1.x EE GIT ID: e782c1ebc63271a45ab85125a0cad0e1ce0c01ef.
Plugin 6.1.x EE GIT ID: 570a3cc499c4c1fc6eeaaaf277af9d1bd2840347.
Tomcat 7.0 + MySQL 5. Portal 6.2.x EE GIT ID: f5b69feabc821668b41e3b251fb2a14674a2da56.
Plugin 6.2.x EE GIT ID: 325f0c27c7f18fea7c4132161cd9ffdaf87fd699.
There is no exception occurs.
MikaM January 22, 2013 at 1:31 PM
Steps to reproduce with test-pacl-portlet
1. Login
2. Deploy test-pacl-portlet and it's dependencies
3. Add test-pacl-portlet to a page
4. Logout
5. Restart server
6. View page with test-pacl-portlet and you should see AES Encrypt and HMacMD5 tests fail
MikaM January 22, 2013 at 10:16 AM
Will submit a new pr with fix for Windows.
MikaM December 3, 2012 at 10:26 AM
Added pre initialization as global startup action so that most basic operations work without declaring them explicitly.
I faced a problem with SecurityChecker and PACL.
In my plugin I have the code:
Mac mac = Mac.getInstance("HMACSHA1");
If security manager is enabled it throws the exception:
java.lang.SecurityException: Attempted to putProviderProperty.SUN on
at com.liferay.portal.security.pacl.checker.BaseChecker.throwSecurityException(BaseChecker.java:259)
at com.liferay.portal.security.pacl.checker.SecurityChecker.checkPermission(SecurityChecker.java:52)
at com.liferay.portal.security.pacl.ActivePACLPolicy.checkPermission(ActivePACLPolicy.java:55)
at com.liferay.portal.security.lang.PortalSecurityManager.checkPermission(PortalSecurityManager.java:103)
at com.liferay.portal.security.lang.PortalSecurityManager.checkPermission(PortalSecurityManager.java:74)
at java.lang.SecurityManager.checkSecurityAccess(SecurityManager.java:1698)
at java.security.Provider.check(Provider.java:386)
at java.security.Provider.putAll(Provider.java:224)
at sun.security.action.PutAllAction.run(PutAllAction.java:35)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.provider.Sun.<init>(Sun.java:254)
at sun.security.util.ManifestEntryVerifier.setEntry(ManifestEntryVerifier.java:110)
I looked into the code of SecurityChecker and found out that it can handle only permissions for getPolicy and setPolicy. In other cases it ALWAYS throws the security exception:
public void checkPermission(Permission permission) {
String name = permission.getName();
if (name.equals(SECURITY_PERMISSION_GET_POLICY)) {
if (!hasGetPolicy()) {
throwSecurityException(_log, "Attempted to get the policy");
}
}
else if (name.equals(SECURITY_PERMISSION_SET_POLICY)) {
if (!hasSetPolicy()) {
throwSecurityException(_log, "Attempted to set the policy");
}
}
else {
if (_log.isDebugEnabled()) {
Thread.dumpStack();
}
throwSecurityException(
_log,
"Attempted to " + permission.getName() + " on " +
permission.getActions());
}
}
So, it looks like there is no way to run such "tivial" code with enabled Security Manager in LR. Did I miss anything?