Details

    • Branch Version/s:
      6.1.x
    • Backported to Branch:
      Committed

      Description

      I faced a problem with SecurityChecker and PACL.
      In my plugin I have the code:
      Mac mac = Mac.getInstance("HMACSHA1");

      If security manager is enabled it throws the exception:
      java.lang.SecurityException: Attempted to putProviderProperty.SUN on
      at com.liferay.portal.security.pacl.checker.BaseChecker.throwSecurityException(BaseChecker.java:259)
      at com.liferay.portal.security.pacl.checker.SecurityChecker.checkPermission(SecurityChecker.java:52)
      at com.liferay.portal.security.pacl.ActivePACLPolicy.checkPermission(ActivePACLPolicy.java:55)
      at com.liferay.portal.security.lang.PortalSecurityManager.checkPermission(PortalSecurityManager.java:103)
      at com.liferay.portal.security.lang.PortalSecurityManager.checkPermission(PortalSecurityManager.java:74)
      at java.lang.SecurityManager.checkSecurityAccess(SecurityManager.java:1698)
      at java.security.Provider.check(Provider.java:386)
      at java.security.Provider.putAll(Provider.java:224)
      at sun.security.action.PutAllAction.run(PutAllAction.java:35)
      at java.security.AccessController.doPrivileged(Native Method)
      at sun.security.provider.Sun.<init>(Sun.java:254)
      at sun.security.util.ManifestEntryVerifier.setEntry(ManifestEntryVerifier.java:110)

      I looked into the code of SecurityChecker and found out that it can handle only permissions for getPolicy and setPolicy. In other cases it ALWAYS throws the security exception:
      public void checkPermission(Permission permission) {
      String name = permission.getName();

      if (name.equals(SECURITY_PERMISSION_GET_POLICY)) {
      if (!hasGetPolicy())

      { throwSecurityException(_log, "Attempted to get the policy"); }

      }
      else if (name.equals(SECURITY_PERMISSION_SET_POLICY)) {
      if (!hasSetPolicy())

      { throwSecurityException(_log, "Attempted to set the policy"); }

      }
      else {
      if (_log.isDebugEnabled())

      { Thread.dumpStack(); }

      throwSecurityException(
      _log,
      "Attempted to " + permission.getName() + " on " +
      permission.getActions());
      }
      }

      So, it looks like there is no way to run such "tivial" code with enabled Security Manager in LR. Did I miss anything?

      1. log.txt
        37 kB
        Dzmitry Shaparau
      2. sample-auth-hook-hook-6.1.1.1.war
        4 kB
        Dzmitry Shaparau

        Issue Links

          Activity

          Hide
          mika.koivisto Mika Koivisto added a comment -

          I just tried running following code under out test-pacl-portlet that's running under security manager and it worked fine.

          			javax.crypto.spec.SecretKeySpec keySpec =
          				new javax.crypto.spec.SecretKeySpec(
          					"test".getBytes(),
          					"HmacSHA1");
          
          			javax.crypto.Mac mac = javax.crypto.Mac.getInstance("HmacSHA1");
          
          			mac.init(keySpec);
          			mac.doFinal("Hello".getBytes());
          
          Show
          mika.koivisto Mika Koivisto added a comment - I just tried running following code under out test-pacl-portlet that's running under security manager and it worked fine. javax.crypto.spec.SecretKeySpec keySpec = new javax.crypto.spec.SecretKeySpec( "test".getBytes(), "HmacSHA1"); javax.crypto.Mac mac = javax.crypto.Mac.getInstance("HmacSHA1"); mac.init(keySpec); mac.doFinal("Hello".getBytes());
          Hide
          shaparau Dzmitry Shaparau (Inactive) added a comment -

          I attached a very simple plugin which simulates the error. It provides a very simple Authenticator which just invokes Mac.getInstance
          Steps to reproduce:
          1. Unpack a clean copy of LR(Tomcat) 6.1.1 ga2
          2. Start LR and deploy sample-auth-hook
          3. Restart the server
          4. Try to login with any user

          Show
          shaparau Dzmitry Shaparau (Inactive) added a comment - I attached a very simple plugin which simulates the error. It provides a very simple Authenticator which just invokes Mac.getInstance Steps to reproduce: 1. Unpack a clean copy of LR(Tomcat) 6.1.1 ga2 2. Start LR and deploy sample-auth-hook 3. Restart the server 4. Try to login with any user
          Hide
          mika.koivisto Mika Koivisto added a comment -

          Thanks Dzmitry, your hook really helped. It seems if some other plugin without security manager already initializes the crypto classes you won't get any security exceptions in the plugin that has security manager enabled.

          Show
          mika.koivisto Mika Koivisto added a comment - Thanks Dzmitry, your hook really helped. It seems if some other plugin without security manager already initializes the crypto classes you won't get any security exceptions in the plugin that has security manager enabled.
          Show
          brian.chan Brian Chan added a comment - See comments https://github.com/brianchandotcom/liferay-portal/pull/7743
          Hide
          mika.koivisto Mika Koivisto added a comment -

          Added pre initialization as global startup action so that most basic operations work without declaring them explicitly.

          Show
          mika.koivisto Mika Koivisto added a comment - Added pre initialization as global startup action so that most basic operations work without declaring them explicitly.
          Hide
          mika.koivisto Mika Koivisto added a comment -

          Will submit a new pr with fix for Windows.

          Show
          mika.koivisto Mika Koivisto added a comment - Will submit a new pr with fix for Windows.
          Hide
          mika.koivisto Mika Koivisto added a comment -

          Steps to reproduce with test-pacl-portlet

          1. Login
          2. Deploy test-pacl-portlet and it's dependencies
          3. Add test-pacl-portlet to a page
          4. Logout
          5. Restart server
          6. View page with test-pacl-portlet and you should see AES Encrypt and HMacMD5 tests fail

          Show
          mika.koivisto Mika Koivisto added a comment - Steps to reproduce with test-pacl-portlet 1. Login 2. Deploy test-pacl-portlet and it's dependencies 3. Add test-pacl-portlet to a page 4. Logout 5. Restart server 6. View page with test-pacl-portlet and you should see AES Encrypt and HMacMD5 tests fail
          Hide
          he.song Serena Song (Inactive) added a comment -

          PASSED Manual Testing using the following steps:

          1. Strat up liferay.
          2. Navigate to ..\portlets\test-pacl-portlet\docroot.
          3. Open view.jsp file and add following code to it.
            <% Mac mac = Mac.getInstance("HMACSHA1"); %>
          4. Deploy test-pacl-portlet and it's dependencies
          5. Add test-pacl-portlet to a page
          6. Logout
          7. Restart server

          Reproduced on:
          Tomcat 7.0 + MySQL 5. Portal 6.1.x EE GIT ID: 9163c531df1cb05b668a98413410989f1f231d25.
          Plugin 6.1.x EE GIT ID: 0ff0a9ee0a616727d2a42edb8811a3ed41a336c1.

          It will throw exception.

          Fixed on:
          Tomcat 7.0 + MySQL 5. Portal 6.1.x EE GIT ID: e782c1ebc63271a45ab85125a0cad0e1ce0c01ef.
          Plugin 6.1.x EE GIT ID: 570a3cc499c4c1fc6eeaaaf277af9d1bd2840347.
          Tomcat 7.0 + MySQL 5. Portal 6.2.x EE GIT ID: f5b69feabc821668b41e3b251fb2a14674a2da56.
          Plugin 6.2.x EE GIT ID: 325f0c27c7f18fea7c4132161cd9ffdaf87fd699.

          There is no exception occurs.

          Show
          he.song Serena Song (Inactive) added a comment - PASSED Manual Testing using the following steps: Strat up liferay. Navigate to ..\portlets\test-pacl-portlet\docroot. Open view.jsp file and add following code to it. <% Mac mac = Mac.getInstance("HMACSHA1"); %> Deploy test-pacl-portlet and it's dependencies Add test-pacl-portlet to a page Logout Restart server Reproduced on: Tomcat 7.0 + MySQL 5. Portal 6.1.x EE GIT ID: 9163c531df1cb05b668a98413410989f1f231d25. Plugin 6.1.x EE GIT ID: 0ff0a9ee0a616727d2a42edb8811a3ed41a336c1. It will throw exception. Fixed on: Tomcat 7.0 + MySQL 5. Portal 6.1.x EE GIT ID: e782c1ebc63271a45ab85125a0cad0e1ce0c01ef. Plugin 6.1.x EE GIT ID: 570a3cc499c4c1fc6eeaaaf277af9d1bd2840347. Tomcat 7.0 + MySQL 5. Portal 6.2.x EE GIT ID: f5b69feabc821668b41e3b251fb2a14674a2da56. Plugin 6.2.x EE GIT ID: 325f0c27c7f18fea7c4132161cd9ffdaf87fd699. There is no exception occurs.

            People

            • Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Days since last comment:
                4 years, 8 weeks, 3 days ago

                Development

                  Subcomponents