As a Liferay Marketplace Developer, it should be less time consuming and less error prone to identify and declare necessary PACL declarations

Description

When developing apps for Liferay's Marketplace, the official docs describe a process like this:

1. Develop app with PACL turned off
2. Turn PACL on
3. Run app, find a PACL error.
4. Try to figure out which PACL stanza will get you past the error. Add it to your liferay-plugin-package.properties
5. Re-deploy app
6. Return to step 3 until no more errors

This is very time consuming and error-prone. As a developer, I'd rather have a way for Liferay to tell me which PACL declarations I need, rather than me doing all the legwork.

See the numerous issues with fleshing out PACL declarations here:

http://www.liferay.com/forums/-/message_boards/message/17489093/maximized
http://www.liferay.com/forums/-/message_boards/message/17329080/maximized
... and others here: http://www.liferay.com/forums/-/message_boards/category/10919228/maximized

Activity

Show:

Raymond Augé May 10, 2013 at 1:55 PM

The security-manager-generator-dir= property was not implemented in the final version.

Raymond Augé January 9, 2013 at 1:21 PM

One caveat is that generated file system paths will be system dependent and will have to be made system indepented by the developer using the variety of variables available (see listing here: https://github.com/liferay/liferay-portal/blob/master/portal-impl/src/com/liferay/portal/security/pacl/checker/FileChecker.java#L90 )

Raymond Augé January 9, 2013 at 1:18 PM

What follows is the policy generated for the sample-service-builder-portlet:

security-manager-expando-bridge=\ com.liferay.sampleservicebuilder.model.Foo security-manager-files-read=\ ./service-ext.properties,\ /home/rotty/global-configuration.properties,\ /home/rotty/service-ext.properties,\ global-configuration.properties security-manager-get-bean-property=\ com.liferay.portal.kernel.dao.orm.EntityCacheUtil,\ com.liferay.portal.kernel.dao.orm.FinderCacheUtil,\ com.liferay.portal.kernel.spring.util.SpringFactoryUtil,\ com.liferay.portal.kernel.util.FastDateFormatFactoryUtil,\ com.liferay.portal.kernel.util.InfrastructureUtil#dataSource,\ com.liferay.portal.kernel.util.InfrastructureUtil#dynamicDataSourceTargetSource,\ com.liferay.portal.kernel.util.InfrastructureUtil#transactionManager,\ com.liferay.portal.kernel.util.PropsUtil,\ com.liferay.portal.kernel.uuid.PortalUUIDUtil,\ com.liferay.portal.util.PortalUtil,\ com.liferay.portlet.expando.util.ExpandoBridgeFactoryUtil security-manager-services[portal]=\ com.liferay.counter.service.CounterLocalService#increment,\ com.liferay.portal.service.GroupLocalService#getGroup,\ com.liferay.portal.service.LayoutLocalService#getLayout,\ com.liferay.portal.service.LayoutSetLocalService#getLayoutSet,\ com.liferay.portal.service.ResourceActionLocalService#getResourceAction,\ com.liferay.portal.service.ResourceBlockLocalService#isSupported,\ com.liferay.portal.service.ResourceLocalService#addResources,\ com.liferay.portal.service.ResourcePermissionLocalService#setOwnerResourcePermissions,\ com.liferay.portal.service.ResourcePermissionLocalService#setResourcePermissions,\ com.liferay.portal.service.RoleLocalService#getDefaultGroupRole,\ com.liferay.portal.service.UserLocalService#getUserById,\ com.liferay.portal.service.persistence.UserPersistence#findByPrimaryKey,\ com.liferay.portlet.asset.service.AssetEntryLocalService#deleteEntry,\ com.liferay.portlet.asset.service.AssetEntryLocalService#updateEntry,\ com.liferay.portlet.asset.service.AssetLinkLocalService#deleteLinks,\ com.liferay.portlet.asset.service.AssetTagLocalService#addTag,\ com.liferay.portlet.asset.service.AssetTagLocalService#getTag,\ com.liferay.portlet.asset.service.AssetTagLocalService#incrementAssetCount,\ com.liferay.portlet.asset.service.AssetTagStatsLocalService#addTagStats,\ com.liferay.portlet.asset.service.AssetTagStatsLocalService#updateTagStats,\ com.liferay.portlet.social.service.SocialActivityCounterLocalService#deleteActivityCounters,\ com.liferay.portlet.social.service.SocialActivityLocalService#deleteActivities,\ com.liferay.portlet.social.service.SocialActivitySettingLocalService#deleteActivitySetting security-manager-sql-tables-insert=\ AssetEntries_AssetTags,\ AssetTag,\ AssetTagStats,\ ResourcePermission security-manager-sql-tables-select=\ AssetEntries_AssetTags,\ AssetEntry,\ AssetTag,\ AssetTagStats,\ ResourcePermission,\ SSB_Foo security-manager-sql-tables-update=\ AssetEntry,\ AssetTag,\ AssetTagStats,\ SSB_Foo

Raymond Augé January 9, 2013 at 1:17 PM
Edited

Here is the proposed workflow based on an early implementation of a PACL Policy Generation tool:

  1. place the plugin into generate mode:

    security-manager-enabled=generate
  2. with no other policy rules in place, the policy for the app will behave as if PACL is enabled (performing expected checks)

  3. however, rather than throwing an error on failed security checks, causing the plugin to fail, the individual checker which caused the failuer will contribute a suggested rule which resolves the failed check

  4. the rules will be collected and writen (on the fly) to a properties file

  5. the default write location is:

    ${liferay.home}/pacl-policy/${servletContextName}.policy
  1. the following section was not implemented

  2. if the developer specifies the property

    security-manager-generator-dir=/home/user/paclfoo

    then the generated policy file will be writen to that path, e.g.:

    /home/user/paclfoo/${servletContextName}.policy
  1. new rules will be merged with any already existing rules originating from the liferay-plugin-package.properties of the plugin

  2. once the app is completely tested, and all policy rules writen to the generated policy file the developer should copy those and merged them with the liferay-plugin-package.properties file in the originating plugin

  3. revert the property

    security-manager-enabled=generate


    to

    security-manager-enabled=true
  4. submit the plugin

Completed
Pinned fields
Click on the next to a field label to start pinning.

Assignee

Dave Truong

Reporter

Affects versions

Priority

Created January 9, 2013 at 1:10 PM
Updated June 26, 2023 at 6:21 AM
Resolved March 12, 2013 at 2:19 PM
 

Flag notifications