PUBLIC - Liferay Portal Community Edition
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-32200

As a Liferay Marketplace Developer, it should be less time consuming and less error prone to identify and declare necessary PACL declarations

    Details

    • Technical Documentation Required:
      Needs Documentation
    • Similar Issues:
      Show 5 results 

      Description

      When developing apps for Liferay's Marketplace, the official docs describe a process like this:

      1. Develop app with PACL turned off
      2. Turn PACL on
      3. Run app, find a PACL error.
      4. Try to figure out which PACL stanza will get you past the error. Add it to your liferay-plugin-package.properties
      5. Re-deploy app
      6. Return to step 3 until no more errors

      This is very time consuming and error-prone. As a developer, I'd rather have a way for Liferay to tell me which PACL declarations I need, rather than me doing all the legwork.

      See the numerous issues with fleshing out PACL declarations here:

      http://www.liferay.com/forums/-/message_boards/message/17489093/maximized
      http://www.liferay.com/forums/-/message_boards/message/17329080/maximized
      ... and others here: http://www.liferay.com/forums/-/message_boards/category/10919228/maximized

        Activity

        Hide
        Raymond Auge added a comment - - edited

        Here is the proposed workflow based on an early implementation of a PACL Policy Generation tool:

        1. place the plugin into generate mode:
           
          		security-manager-enabled=generate
          
        2. with no other policy rules in place, the policy for the app will behave as if PACL is enabled (performing expected checks)
        3. however, rather than throwing an error on failed security checks, causing the plugin to fail, the individual checker which caused the failuer will contribute a suggested rule which resolves the failed check
        4. the rules will be collected and writen (on the fly) to a properties file
        5. the default write location is:
          		${liferay.home}/pacl-policy/${servletContextName}.policy
          
        1. the following section was not implemented
          1. if the developer specifies the property
            		security-manager-generator-dir=/home/user/paclfoo
            

            then the generated policy file will be writen to that path, e.g.:

            		/home/user/paclfoo/${servletContextName}.policy
            
        1. new rules will be merged with any already existing rules originating from the liferay-plugin-package.properties of the plugin
        2. once the app is completely tested, and all policy rules writen to the generated policy file the developer should copy those and merged them with the liferay-plugin-package.properties file in the originating plugin
        3. revert the property
          		security-manager-enabled=generate
          

          to

          	
          		security-manager-enabled=true
          
        4. submit the plugin
        Show
        Raymond Auge added a comment - - edited Here is the proposed workflow based on an early implementation of a PACL Policy Generation tool: place the plugin into generate mode: security-manager-enabled=generate with no other policy rules in place, the policy for the app will behave as if PACL is enabled (performing expected checks) however, rather than throwing an error on failed security checks, causing the plugin to fail, the individual checker which caused the failuer will contribute a suggested rule which resolves the failed check the rules will be collected and writen (on the fly) to a properties file the default write location is: ${liferay.home}/pacl-policy/${servletContextName}.policy the following section was not implemented if the developer specifies the property security-manager-generator-dir=/home/user/paclfoo then the generated policy file will be writen to that path, e.g.: /home/user/paclfoo/${servletContextName}.policy new rules will be merged with any already existing rules originating from the liferay-plugin-package.properties of the plugin once the app is completely tested, and all policy rules writen to the generated policy file the developer should copy those and merged them with the liferay-plugin-package.properties file in the originating plugin revert the property security-manager-enabled=generate to security-manager-enabled= true submit the plugin
        Hide
        Raymond Auge added a comment -

        What follows is the policy generated for the sample-service-builder-portlet:

        security-manager-expando-bridge=\
            com.liferay.sampleservicebuilder.model.Foo
        
        security-manager-files-read=\
            ./service-ext.properties,\
            /home/rotty/global-configuration.properties,\
            /home/rotty/service-ext.properties,\
            global-configuration.properties
        
        security-manager-get-bean-property=\
            com.liferay.portal.kernel.dao.orm.EntityCacheUtil,\
            com.liferay.portal.kernel.dao.orm.FinderCacheUtil,\
            com.liferay.portal.kernel.spring.util.SpringFactoryUtil,\
            com.liferay.portal.kernel.util.FastDateFormatFactoryUtil,\
            com.liferay.portal.kernel.util.InfrastructureUtil#dataSource,\
            com.liferay.portal.kernel.util.InfrastructureUtil#dynamicDataSourceTargetSource,\
            com.liferay.portal.kernel.util.InfrastructureUtil#transactionManager,\
            com.liferay.portal.kernel.util.PropsUtil,\
            com.liferay.portal.kernel.uuid.PortalUUIDUtil,\
            com.liferay.portal.util.PortalUtil,\
            com.liferay.portlet.expando.util.ExpandoBridgeFactoryUtil
        
        security-manager-services[portal]=\
            com.liferay.counter.service.CounterLocalService#increment,\
            com.liferay.portal.service.GroupLocalService#getGroup,\
            com.liferay.portal.service.LayoutLocalService#getLayout,\
            com.liferay.portal.service.LayoutSetLocalService#getLayoutSet,\
            com.liferay.portal.service.ResourceActionLocalService#getResourceAction,\
            com.liferay.portal.service.ResourceBlockLocalService#isSupported,\
            com.liferay.portal.service.ResourceLocalService#addResources,\
            com.liferay.portal.service.ResourcePermissionLocalService#setOwnerResourcePermissions,\
            com.liferay.portal.service.ResourcePermissionLocalService#setResourcePermissions,\
            com.liferay.portal.service.RoleLocalService#getDefaultGroupRole,\
            com.liferay.portal.service.UserLocalService#getUserById,\
            com.liferay.portal.service.persistence.UserPersistence#findByPrimaryKey,\
            com.liferay.portlet.asset.service.AssetEntryLocalService#deleteEntry,\
            com.liferay.portlet.asset.service.AssetEntryLocalService#updateEntry,\
            com.liferay.portlet.asset.service.AssetLinkLocalService#deleteLinks,\
            com.liferay.portlet.asset.service.AssetTagLocalService#addTag,\
            com.liferay.portlet.asset.service.AssetTagLocalService#getTag,\
            com.liferay.portlet.asset.service.AssetTagLocalService#incrementAssetCount,\
            com.liferay.portlet.asset.service.AssetTagStatsLocalService#addTagStats,\
            com.liferay.portlet.asset.service.AssetTagStatsLocalService#updateTagStats,\
            com.liferay.portlet.social.service.SocialActivityCounterLocalService#deleteActivityCounters,\
            com.liferay.portlet.social.service.SocialActivityLocalService#deleteActivities,\
            com.liferay.portlet.social.service.SocialActivitySettingLocalService#deleteActivitySetting
        
        security-manager-sql-tables-insert=\
            AssetEntries_AssetTags,\
            AssetTag,\
            AssetTagStats,\
            ResourcePermission
        
        security-manager-sql-tables-select=\
            AssetEntries_AssetTags,\
            AssetEntry,\
            AssetTag,\
            AssetTagStats,\
            ResourcePermission,\
            SSB_Foo
        
        security-manager-sql-tables-update=\
            AssetEntry,\
            AssetTag,\
            AssetTagStats,\
            SSB_Foo
        
        Show
        Raymond Auge added a comment - What follows is the policy generated for the sample-service-builder-portlet: security-manager-expando-bridge=\ com.liferay.sampleservicebuilder.model.Foo security-manager-files-read=\ ./service-ext.properties,\ /home/rotty/global-configuration.properties,\ /home/rotty/service-ext.properties,\ global-configuration.properties security-manager-get-bean-property=\ com.liferay.portal.kernel.dao.orm.EntityCacheUtil,\ com.liferay.portal.kernel.dao.orm.FinderCacheUtil,\ com.liferay.portal.kernel.spring.util.SpringFactoryUtil,\ com.liferay.portal.kernel.util.FastDateFormatFactoryUtil,\ com.liferay.portal.kernel.util.InfrastructureUtil#dataSource,\ com.liferay.portal.kernel.util.InfrastructureUtil#dynamicDataSourceTargetSource,\ com.liferay.portal.kernel.util.InfrastructureUtil#transactionManager,\ com.liferay.portal.kernel.util.PropsUtil,\ com.liferay.portal.kernel.uuid.PortalUUIDUtil,\ com.liferay.portal.util.PortalUtil,\ com.liferay.portlet.expando.util.ExpandoBridgeFactoryUtil security-manager-services[portal]=\ com.liferay.counter.service.CounterLocalService#increment,\ com.liferay.portal.service.GroupLocalService#getGroup,\ com.liferay.portal.service.LayoutLocalService#getLayout,\ com.liferay.portal.service.LayoutSetLocalService#getLayoutSet,\ com.liferay.portal.service.ResourceActionLocalService#getResourceAction,\ com.liferay.portal.service.ResourceBlockLocalService#isSupported,\ com.liferay.portal.service.ResourceLocalService#addResources,\ com.liferay.portal.service.ResourcePermissionLocalService#setOwnerResourcePermissions,\ com.liferay.portal.service.ResourcePermissionLocalService#setResourcePermissions,\ com.liferay.portal.service.RoleLocalService#getDefaultGroupRole,\ com.liferay.portal.service.UserLocalService#getUserById,\ com.liferay.portal.service.persistence.UserPersistence#findByPrimaryKey,\ com.liferay.portlet.asset.service.AssetEntryLocalService#deleteEntry,\ com.liferay.portlet.asset.service.AssetEntryLocalService#updateEntry,\ com.liferay.portlet.asset.service.AssetLinkLocalService#deleteLinks,\ com.liferay.portlet.asset.service.AssetTagLocalService#addTag,\ com.liferay.portlet.asset.service.AssetTagLocalService#getTag,\ com.liferay.portlet.asset.service.AssetTagLocalService#incrementAssetCount,\ com.liferay.portlet.asset.service.AssetTagStatsLocalService#addTagStats,\ com.liferay.portlet.asset.service.AssetTagStatsLocalService#updateTagStats,\ com.liferay.portlet.social.service.SocialActivityCounterLocalService#deleteActivityCounters,\ com.liferay.portlet.social.service.SocialActivityLocalService#deleteActivities,\ com.liferay.portlet.social.service.SocialActivitySettingLocalService#deleteActivitySetting security-manager-sql-tables-insert=\ AssetEntries_AssetTags,\ AssetTag,\ AssetTagStats,\ ResourcePermission security-manager-sql-tables-select=\ AssetEntries_AssetTags,\ AssetEntry,\ AssetTag,\ AssetTagStats,\ ResourcePermission,\ SSB_Foo security-manager-sql-tables-update=\ AssetEntry,\ AssetTag,\ AssetTagStats,\ SSB_Foo
        Hide
        Raymond Auge added a comment -

        One caveat is that generated file system paths will be system dependent and will have to be made system indepented by the developer using the variety of variables available (see listing here: https://github.com/liferay/liferay-portal/blob/master/portal-impl/src/com/liferay/portal/security/pacl/checker/FileChecker.java#L90 )

        Show
        Raymond Auge added a comment - One caveat is that generated file system paths will be system dependent and will have to be made system indepented by the developer using the variety of variables available (see listing here: https://github.com/liferay/liferay-portal/blob/master/portal-impl/src/com/liferay/portal/security/pacl/checker/FileChecker.java#L90 )
        Hide
        Raymond Auge added a comment -

        The security-manager-generator-dir= property was not implemented in the final version.

        Show
        Raymond Auge added a comment - The security-manager-generator-dir= property was not implemented in the final version.

          People

          • Votes:
            2 Vote for this issue
            Watchers:
            11 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development

                Subcomponents

                  Structure Helper Panel