PUBLIC - Liferay Portal Community Edition
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-32200

As a Liferay Marketplace Developer, it should be less time consuming and less error prone to identify and declare necessary PACL declarations

        Details

        • Technical Documentation Required:
          Needs Documentation
        • Epic/Theme:
        • Similar Issues:
          Show 5 results 

          Description

          When developing apps for Liferay's Marketplace, the official docs describe a process like this:

          1. Develop app with PACL turned off
          2. Turn PACL on
          3. Run app, find a PACL error.
          4. Try to figure out which PACL stanza will get you past the error. Add it to your liferay-plugin-package.properties
          5. Re-deploy app
          6. Return to step 3 until no more errors

          This is very time consuming and error-prone. As a developer, I'd rather have a way for Liferay to tell me which PACL declarations I need, rather than me doing all the legwork.

          See the numerous issues with fleshing out PACL declarations here:

          http://www.liferay.com/forums/-/message_boards/message/17489093/maximized
          http://www.liferay.com/forums/-/message_boards/message/17329080/maximized
          ... and others here: http://www.liferay.com/forums/-/message_boards/category/10919228/maximized

            Activity

            Ascending order - Click to sort in descending order
            Hide
            Permalink
            Raymond Auge added a comment - - edited

            Here is the proposed workflow based on an early implementation of a PACL Policy Generation tool:

            1. place the plugin into generate mode: 
               
		security-manager-enabled=generate
            2. with no other policy rules in place, the policy for the app will behave as if PACL is enabled (performing expected checks)
            3. however, rather than throwing an error on failed security checks, causing the plugin to fail, the individual checker which caused the failuer will contribute a suggested rule which resolves the failed check
            4. the rules will be collected and writen (on the fly) to a properties file
            5. the default write location is: 
              		${liferay.home}/pacl-policy/${servletContextName}.policy
            1. the following section was not implemented
              1. if the developer specifies the property 
                		security-manager-generator-dir=/home/user/paclfoo

                then the generated policy file will be writen to that path, e.g.:

                		/home/user/paclfoo/${servletContextName}.policy
            1. new rules will be merged with any already existing rules originating from the liferay-plugin-package.properties of the plugin
            2. once the app is completely tested, and all policy rules writen to the generated policy file the developer should copy those and merged them with the liferay-plugin-package.properties file in the originating plugin
            3. revert the property 
              		security-manager-enabled=generate

              to

              	
		security-manager-enabled=true
            4. submit the plugin
            Show
            Raymond Auge added a comment - - edited Here is the proposed workflow based on an early implementation of a PACL Policy Generation tool: place the plugin into generate mode: security-manager-enabled=generate with no other policy rules in place, the policy for the app will behave as if PACL is enabled (performing expected checks) however, rather than throwing an error on failed security checks, causing the plugin to fail, the individual checker which caused the failuer will contribute a suggested rule which resolves the failed check the rules will be collected and writen (on the fly) to a properties file the default write location is: ${liferay.home}/pacl-policy/${servletContextName}.policy the following section was not implemented if the developer specifies the property security-manager-generator-dir=/home/user/paclfoo then the generated policy file will be writen to that path, e.g.: /home/user/paclfoo/${servletContextName}.policy new rules will be merged with any already existing rules originating from the liferay-plugin-package.properties of the plugin once the app is completely tested, and all policy rules writen to the generated policy file the developer should copy those and merged them with the liferay-plugin-package.properties file in the originating plugin revert the property security-manager-enabled=generate to security-manager-enabled= true submit the plugin
            Hide
            Permalink
            Raymond Auge added a comment -

            What follows is the policy generated for the sample-service-builder-portlet:

            security-manager-expando-bridge=\
    com.liferay.sampleservicebuilder.model.Foo

security-manager-files-read=\
    ./service-ext.properties,\
    /home/rotty/global-configuration.properties,\
    /home/rotty/service-ext.properties,\
    global-configuration.properties

security-manager-get-bean-property=\
    com.liferay.portal.kernel.dao.orm.EntityCacheUtil,\
    com.liferay.portal.kernel.dao.orm.FinderCacheUtil,\
    com.liferay.portal.kernel.spring.util.SpringFactoryUtil,\
    com.liferay.portal.kernel.util.FastDateFormatFactoryUtil,\
    com.liferay.portal.kernel.util.InfrastructureUtil#dataSource,\
    com.liferay.portal.kernel.util.InfrastructureUtil#dynamicDataSourceTargetSource,\
    com.liferay.portal.kernel.util.InfrastructureUtil#transactionManager,\
    com.liferay.portal.kernel.util.PropsUtil,\
    com.liferay.portal.kernel.uuid.PortalUUIDUtil,\
    com.liferay.portal.util.PortalUtil,\
    com.liferay.portlet.expando.util.ExpandoBridgeFactoryUtil

security-manager-services[portal]=\
    com.liferay.counter.service.CounterLocalService#increment,\
    com.liferay.portal.service.GroupLocalService#getGroup,\
    com.liferay.portal.service.LayoutLocalService#getLayout,\
    com.liferay.portal.service.LayoutSetLocalService#getLayoutSet,\
    com.liferay.portal.service.ResourceActionLocalService#getResourceAction,\
    com.liferay.portal.service.ResourceBlockLocalService#isSupported,\
    com.liferay.portal.service.ResourceLocalService#addResources,\
    com.liferay.portal.service.ResourcePermissionLocalService#setOwnerResourcePermissions,\
    com.liferay.portal.service.ResourcePermissionLocalService#setResourcePermissions,\
    com.liferay.portal.service.RoleLocalService#getDefaultGroupRole,\
    com.liferay.portal.service.UserLocalService#getUserById,\
    com.liferay.portal.service.persistence.UserPersistence#findByPrimaryKey,\
    com.liferay.portlet.asset.service.AssetEntryLocalService#deleteEntry,\
    com.liferay.portlet.asset.service.AssetEntryLocalService#updateEntry,\
    com.liferay.portlet.asset.service.AssetLinkLocalService#deleteLinks,\
    com.liferay.portlet.asset.service.AssetTagLocalService#addTag,\
    com.liferay.portlet.asset.service.AssetTagLocalService#getTag,\
    com.liferay.portlet.asset.service.AssetTagLocalService#incrementAssetCount,\
    com.liferay.portlet.asset.service.AssetTagStatsLocalService#addTagStats,\
    com.liferay.portlet.asset.service.AssetTagStatsLocalService#updateTagStats,\
    com.liferay.portlet.social.service.SocialActivityCounterLocalService#deleteActivityCounters,\
    com.liferay.portlet.social.service.SocialActivityLocalService#deleteActivities,\
    com.liferay.portlet.social.service.SocialActivitySettingLocalService#deleteActivitySetting

security-manager-sql-tables-insert=\
    AssetEntries_AssetTags,\
    AssetTag,\
    AssetTagStats,\
    ResourcePermission

security-manager-sql-tables-select=\
    AssetEntries_AssetTags,\
    AssetEntry,\
    AssetTag,\
    AssetTagStats,\
    ResourcePermission,\
    SSB_Foo

security-manager-sql-tables-update=\
    AssetEntry,\
    AssetTag,\
    AssetTagStats,\
    SSB_Foo
            Show
            Raymond Auge added a comment - What follows is the policy generated for the sample-service-builder-portlet: security-manager-expando-bridge=\ com.liferay.sampleservicebuilder.model.Foo security-manager-files-read=\ ./service-ext.properties,\ /home/rotty/global-configuration.properties,\ /home/rotty/service-ext.properties,\ global-configuration.properties security-manager-get-bean-property=\ com.liferay.portal.kernel.dao.orm.EntityCacheUtil,\ com.liferay.portal.kernel.dao.orm.FinderCacheUtil,\ com.liferay.portal.kernel.spring.util.SpringFactoryUtil,\ com.liferay.portal.kernel.util.FastDateFormatFactoryUtil,\ com.liferay.portal.kernel.util.InfrastructureUtil#dataSource,\ com.liferay.portal.kernel.util.InfrastructureUtil#dynamicDataSourceTargetSource,\ com.liferay.portal.kernel.util.InfrastructureUtil#transactionManager,\ com.liferay.portal.kernel.util.PropsUtil,\ com.liferay.portal.kernel.uuid.PortalUUIDUtil,\ com.liferay.portal.util.PortalUtil,\ com.liferay.portlet.expando.util.ExpandoBridgeFactoryUtil security-manager-services[portal]=\ com.liferay.counter.service.CounterLocalService#increment,\ com.liferay.portal.service.GroupLocalService#getGroup,\ com.liferay.portal.service.LayoutLocalService#getLayout,\ com.liferay.portal.service.LayoutSetLocalService#getLayoutSet,\ com.liferay.portal.service.ResourceActionLocalService#getResourceAction,\ com.liferay.portal.service.ResourceBlockLocalService#isSupported,\ com.liferay.portal.service.ResourceLocalService#addResources,\ com.liferay.portal.service.ResourcePermissionLocalService#setOwnerResourcePermissions,\ com.liferay.portal.service.ResourcePermissionLocalService#setResourcePermissions,\ com.liferay.portal.service.RoleLocalService#getDefaultGroupRole,\ com.liferay.portal.service.UserLocalService#getUserById,\ com.liferay.portal.service.persistence.UserPersistence#findByPrimaryKey,\ com.liferay.portlet.asset.service.AssetEntryLocalService#deleteEntry,\ com.liferay.portlet.asset.service.AssetEntryLocalService#updateEntry,\ com.liferay.portlet.asset.service.AssetLinkLocalService#deleteLinks,\ com.liferay.portlet.asset.service.AssetTagLocalService#addTag,\ com.liferay.portlet.asset.service.AssetTagLocalService#getTag,\ com.liferay.portlet.asset.service.AssetTagLocalService#incrementAssetCount,\ com.liferay.portlet.asset.service.AssetTagStatsLocalService#addTagStats,\ com.liferay.portlet.asset.service.AssetTagStatsLocalService#updateTagStats,\ com.liferay.portlet.social.service.SocialActivityCounterLocalService#deleteActivityCounters,\ com.liferay.portlet.social.service.SocialActivityLocalService#deleteActivities,\ com.liferay.portlet.social.service.SocialActivitySettingLocalService#deleteActivitySetting security-manager-sql-tables-insert=\ AssetEntries_AssetTags,\ AssetTag,\ AssetTagStats,\ ResourcePermission security-manager-sql-tables-select=\ AssetEntries_AssetTags,\ AssetEntry,\ AssetTag,\ AssetTagStats,\ ResourcePermission,\ SSB_Foo security-manager-sql-tables-update=\ AssetEntry,\ AssetTag,\ AssetTagStats,\ SSB_Foo
            Hide
            Permalink
            Raymond Auge added a comment -

            One caveat is that generated file system paths will be system dependent and will have to be made system indepented by the developer using the variety of variables available (see listing here: https://github.com/liferay/liferay-portal/blob/master/portal-impl/src/com/liferay/portal/security/pacl/checker/FileChecker.java#L90 )

            Show
            Raymond Auge added a comment - One caveat is that generated file system paths will be system dependent and will have to be made system indepented by the developer using the variety of variables available (see listing here: https://github.com/liferay/liferay-portal/blob/master/portal-impl/src/com/liferay/portal/security/pacl/checker/FileChecker.java#L90 )
            Hide
            Permalink
            Raymond Auge added a comment -

            The security-manager-generator-dir= property was not implemented in the final version.

            Show
            Raymond Auge added a comment - The security-manager-generator-dir= property was not implemented in the final version.

              People

              • Votes:
                2 Vote for this issue
                Watchers:
                11 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Development

                    Structure Helper Panel