Details

    • Branch Version/s:
      6.1.x
    • Backported to Branch:
      Committed
    • Similar Issues:
      Show 3 results 

      Description

      I faced a problem with SecurityChecker and PACL.
      In my plugin I have the code:
      Mac mac = Mac.getInstance("HMACSHA1");

      If security manager is enabled it throws the exception:
      java.lang.SecurityException: Attempted to putProviderProperty.SUN on
      at com.liferay.portal.security.pacl.checker.BaseChecker.throwSecurityException(BaseChecker.java:259)
      at com.liferay.portal.security.pacl.checker.SecurityChecker.checkPermission(SecurityChecker.java:52)
      at com.liferay.portal.security.pacl.ActivePACLPolicy.checkPermission(ActivePACLPolicy.java:55)
      at com.liferay.portal.security.lang.PortalSecurityManager.checkPermission(PortalSecurityManager.java:103)
      at com.liferay.portal.security.lang.PortalSecurityManager.checkPermission(PortalSecurityManager.java:74)
      at java.lang.SecurityManager.checkSecurityAccess(SecurityManager.java:1698)
      at java.security.Provider.check(Provider.java:386)
      at java.security.Provider.putAll(Provider.java:224)
      at sun.security.action.PutAllAction.run(PutAllAction.java:35)
      at java.security.AccessController.doPrivileged(Native Method)
      at sun.security.provider.Sun.<init>(Sun.java:254)
      at sun.security.util.ManifestEntryVerifier.setEntry(ManifestEntryVerifier.java:110)

      I looked into the code of SecurityChecker and found out that it can handle only permissions for getPolicy and setPolicy. In other cases it ALWAYS throws the security exception:
      public void checkPermission(Permission permission) {
      String name = permission.getName();

      if (name.equals(SECURITY_PERMISSION_GET_POLICY)) {
      if (!hasGetPolicy())

      { throwSecurityException(_log, "Attempted to get the policy"); }

      }
      else if (name.equals(SECURITY_PERMISSION_SET_POLICY)) {
      if (!hasSetPolicy())

      { throwSecurityException(_log, "Attempted to set the policy"); }

      }
      else {
      if (_log.isDebugEnabled())

      { Thread.dumpStack(); }

      throwSecurityException(
      _log,
      "Attempted to " + permission.getName() + " on " +
      permission.getActions());
      }
      }

      So, it looks like there is no way to run such "tivial" code with enabled Security Manager in LR. Did I miss anything?

        Activity

        Hide
        Mika Koivisto added a comment -

        I just tried running following code under out test-pacl-portlet that's running under security manager and it worked fine.

        			javax.crypto.spec.SecretKeySpec keySpec =
        				new javax.crypto.spec.SecretKeySpec(
        					"test".getBytes(),
        					"HmacSHA1");
        
        			javax.crypto.Mac mac = javax.crypto.Mac.getInstance("HmacSHA1");
        
        			mac.init(keySpec);
        			mac.doFinal("Hello".getBytes());
        
        Show
        Mika Koivisto added a comment - I just tried running following code under out test-pacl-portlet that's running under security manager and it worked fine. javax.crypto.spec.SecretKeySpec keySpec = new javax.crypto.spec.SecretKeySpec( "test".getBytes(), "HmacSHA1"); javax.crypto.Mac mac = javax.crypto.Mac.getInstance("HmacSHA1"); mac.init(keySpec); mac.doFinal("Hello".getBytes());
        Hide
        Dzmitry Shaparau added a comment -

        I attached a very simple plugin which simulates the error. It provides a very simple Authenticator which just invokes Mac.getInstance
        Steps to reproduce:
        1. Unpack a clean copy of LR(Tomcat) 6.1.1 ga2
        2. Start LR and deploy sample-auth-hook
        3. Restart the server
        4. Try to login with any user

        Show
        Dzmitry Shaparau added a comment - I attached a very simple plugin which simulates the error. It provides a very simple Authenticator which just invokes Mac.getInstance Steps to reproduce: 1. Unpack a clean copy of LR(Tomcat) 6.1.1 ga2 2. Start LR and deploy sample-auth-hook 3. Restart the server 4. Try to login with any user
        Hide
        Mika Koivisto added a comment -

        Thanks Dzmitry, your hook really helped. It seems if some other plugin without security manager already initializes the crypto classes you won't get any security exceptions in the plugin that has security manager enabled.

        Show
        Mika Koivisto added a comment - Thanks Dzmitry, your hook really helped. It seems if some other plugin without security manager already initializes the crypto classes you won't get any security exceptions in the plugin that has security manager enabled.
        Show
        Brian Chan added a comment - See comments https://github.com/brianchandotcom/liferay-portal/pull/7743
        Hide
        Mika Koivisto added a comment -

        Added pre initialization as global startup action so that most basic operations work without declaring them explicitly.

        Show
        Mika Koivisto added a comment - Added pre initialization as global startup action so that most basic operations work without declaring them explicitly.
        Hide
        Mika Koivisto added a comment -

        Will submit a new pr with fix for Windows.

        Show
        Mika Koivisto added a comment - Will submit a new pr with fix for Windows.
        Hide
        Mika Koivisto added a comment -

        Steps to reproduce with test-pacl-portlet

        1. Login
        2. Deploy test-pacl-portlet and it's dependencies
        3. Add test-pacl-portlet to a page
        4. Logout
        5. Restart server
        6. View page with test-pacl-portlet and you should see AES Encrypt and HMacMD5 tests fail

        Show
        Mika Koivisto added a comment - Steps to reproduce with test-pacl-portlet 1. Login 2. Deploy test-pacl-portlet and it's dependencies 3. Add test-pacl-portlet to a page 4. Logout 5. Restart server 6. View page with test-pacl-portlet and you should see AES Encrypt and HMacMD5 tests fail
        Hide
        Serena Song (Inactive) added a comment -

        PASSED Manual Testing using the following steps:

        1. Strat up liferay.
        2. Navigate to ..\portlets\test-pacl-portlet\docroot.
        3. Open view.jsp file and add following code to it.
          <% Mac mac = Mac.getInstance("HMACSHA1"); %>
        4. Deploy test-pacl-portlet and it's dependencies
        5. Add test-pacl-portlet to a page
        6. Logout
        7. Restart server

        Reproduced on:
        Tomcat 7.0 + MySQL 5. Portal 6.1.x EE GIT ID: 9163c531df1cb05b668a98413410989f1f231d25.
        Plugin 6.1.x EE GIT ID: 0ff0a9ee0a616727d2a42edb8811a3ed41a336c1.

        It will throw exception.

        Fixed on:
        Tomcat 7.0 + MySQL 5. Portal 6.1.x EE GIT ID: e782c1ebc63271a45ab85125a0cad0e1ce0c01ef.
        Plugin 6.1.x EE GIT ID: 570a3cc499c4c1fc6eeaaaf277af9d1bd2840347.
        Tomcat 7.0 + MySQL 5. Portal 6.2.x EE GIT ID: f5b69feabc821668b41e3b251fb2a14674a2da56.
        Plugin 6.2.x EE GIT ID: 325f0c27c7f18fea7c4132161cd9ffdaf87fd699.

        There is no exception occurs.

        Show
        Serena Song (Inactive) added a comment - PASSED Manual Testing using the following steps: Strat up liferay. Navigate to ..\portlets\test-pacl-portlet\docroot. Open view.jsp file and add following code to it. <% Mac mac = Mac.getInstance("HMACSHA1"); %> Deploy test-pacl-portlet and it's dependencies Add test-pacl-portlet to a page Logout Restart server Reproduced on: Tomcat 7.0 + MySQL 5. Portal 6.1.x EE GIT ID: 9163c531df1cb05b668a98413410989f1f231d25. Plugin 6.1.x EE GIT ID: 0ff0a9ee0a616727d2a42edb8811a3ed41a336c1. It will throw exception. Fixed on: Tomcat 7.0 + MySQL 5. Portal 6.1.x EE GIT ID: e782c1ebc63271a45ab85125a0cad0e1ce0c01ef. Plugin 6.1.x EE GIT ID: 570a3cc499c4c1fc6eeaaaf277af9d1bd2840347. Tomcat 7.0 + MySQL 5. Portal 6.2.x EE GIT ID: f5b69feabc821668b41e3b251fb2a14674a2da56. Plugin 6.2.x EE GIT ID: 325f0c27c7f18fea7c4132161cd9ffdaf87fd699. There is no exception occurs.

          People

          • Votes:
            1 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:
              Days since last comment:
              2 years, 30 weeks, 3 days ago

              Development

                Structure Helper Panel