As a Liferay Marketplace Developer, it should be less time consuming and less error prone to identify and declare necessary PACL declarations

Raymond Auge added a comment - 09/Jan/13 1:17 PM - edited Here is the proposed workflow based on an early implementation of a PACL Policy Generation tool: place the plugin into generate mode: security-manager-enabled=generate with no other policy rules in place, the policy for the app will behave as if PACL is enabled (performing expected checks) however, rather than throwing an error on failed security checks, causing the plugin to fail, the individual checker which caused the failuer will contribute a suggested rule which resolves the failed check the rules will be collected and writen (on the fly) to a properties file the default write location is: ${liferay.home}/pacl-policy/${servletContextName}.policy the following section was not implemented if the developer specifies the property security-manager-generator-dir=/home/user/paclfoo then the generated policy file will be writen to that path, e.g.: /home/user/paclfoo/${servletContextName}.policy new rules will be merged with any already existing rules originating from the liferay-plugin-package.properties of the plugin once the app is completely tested, and all policy rules writen to the generated policy file the developer should copy those and merged them with the liferay-plugin-package.properties file in the originating plugin revert the property security-manager-enabled=generate to security-manager-enabled= true submit the plugin

Raymond Auge added a comment - 09/Jan/13 1:18 PM What follows is the policy generated for the sample-service-builder-portlet: security-manager-expando-bridge=\ com.liferay.sampleservicebuilder.model.Foo security-manager-files-read=\ ./service-ext.properties,\ /home/rotty/global-configuration.properties,\ /home/rotty/service-ext.properties,\ global-configuration.properties security-manager-get-bean-property=\ com.liferay.portal.kernel.dao.orm.EntityCacheUtil,\ com.liferay.portal.kernel.dao.orm.FinderCacheUtil,\ com.liferay.portal.kernel.spring.util.SpringFactoryUtil,\ com.liferay.portal.kernel.util.FastDateFormatFactoryUtil,\ com.liferay.portal.kernel.util.InfrastructureUtil#dataSource,\ com.liferay.portal.kernel.util.InfrastructureUtil#dynamicDataSourceTargetSource,\ com.liferay.portal.kernel.util.InfrastructureUtil#transactionManager,\ com.liferay.portal.kernel.util.PropsUtil,\ com.liferay.portal.kernel.uuid.PortalUUIDUtil,\ com.liferay.portal.util.PortalUtil,\ com.liferay.portlet.expando.util.ExpandoBridgeFactoryUtil security-manager-services[portal]=\ com.liferay.counter.service.CounterLocalService#increment,\ com.liferay.portal.service.GroupLocalService#getGroup,\ com.liferay.portal.service.LayoutLocalService#getLayout,\ com.liferay.portal.service.LayoutSetLocalService#getLayoutSet,\ com.liferay.portal.service.ResourceActionLocalService#getResourceAction,\ com.liferay.portal.service.ResourceBlockLocalService#isSupported,\ com.liferay.portal.service.ResourceLocalService#addResources,\ com.liferay.portal.service.ResourcePermissionLocalService#setOwnerResourcePermissions,\ com.liferay.portal.service.ResourcePermissionLocalService#setResourcePermissions,\ com.liferay.portal.service.RoleLocalService#getDefaultGroupRole,\ com.liferay.portal.service.UserLocalService#getUserById,\ com.liferay.portal.service.persistence.UserPersistence#findByPrimaryKey,\ com.liferay.portlet.asset.service.AssetEntryLocalService#deleteEntry,\ com.liferay.portlet.asset.service.AssetEntryLocalService#updateEntry,\ com.liferay.portlet.asset.service.AssetLinkLocalService#deleteLinks,\ com.liferay.portlet.asset.service.AssetTagLocalService#addTag,\ com.liferay.portlet.asset.service.AssetTagLocalService#getTag,\ com.liferay.portlet.asset.service.AssetTagLocalService#incrementAssetCount,\ com.liferay.portlet.asset.service.AssetTagStatsLocalService#addTagStats,\ com.liferay.portlet.asset.service.AssetTagStatsLocalService#updateTagStats,\ com.liferay.portlet.social.service.SocialActivityCounterLocalService#deleteActivityCounters,\ com.liferay.portlet.social.service.SocialActivityLocalService#deleteActivities,\ com.liferay.portlet.social.service.SocialActivitySettingLocalService#deleteActivitySetting security-manager-sql-tables-insert=\ AssetEntries_AssetTags,\ AssetTag,\ AssetTagStats,\ ResourcePermission security-manager-sql-tables-select=\ AssetEntries_AssetTags,\ AssetEntry,\ AssetTag,\ AssetTagStats,\ ResourcePermission,\ SSB_Foo security-manager-sql-tables-update=\ AssetEntry,\ AssetTag,\ AssetTagStats,\ SSB_Foo

Raymond Auge added a comment - 09/Jan/13 1:21 PM One caveat is that generated file system paths will be system dependent and will have to be made system indepented by the developer using the variety of variables available (see listing here: https://github.com/liferay/liferay-portal/blob/master/portal-impl/src/com/liferay/portal/security/pacl/checker/FileChecker.java#L90 )

Raymond Auge added a comment - 10/May/13 1:55 PM The security-manager-generator-dir= property was not implemented in the final version.