PUBLIC - Liferay Portal Community Edition
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-33047

PACL - As a developer I would like reasonable java operations such as classloading, reflection, native library access within libraries I include to not prevent me from developing plugins for the marketplace

    Details

    • Epic/Theme:
    • Similar Issues:
      Show 5 results 

      Description

      There are a great number of issues currently in developing plugins for the marketplace (which require PACL to be enabled).

      One only needs to browse http://www.liferay.com/community/forums/-/message_boards/category/10919228 to find multiple issues, mostly related to perfectly normal and acceptable java operations.

      1.
      PACL - Rename PACLClassLoaderUtil to ClassLoaderUtil to begin uncluttering the portal of PACL naming Technical Task Closed Justin Choi
       
      2.
      PACL - java.security.Policy based PACL implementation (a.k.a. PACLv2) Technical Task Closed Justin Choi
       
      3.
      PACL - Centralize initialization of PACL into a private SecurityManagerUtil class Technical Task Closed Justin Choi
       
      4.
      PACL - Use new SecurityManagerUtil and initialize as early as possible Technical Task Closed Justin Choi
       
      5.
      PACL- Initialize the new java.security.Policy Technical Task Closed Justin Choi
       
      6.
      PACL - Convert to boolean implies API method to match j.s.Policy Technical Task Closed Justin Choi
       
      7.
      PACL - Implement a bean post processor which will process @DoPrivileged annotations Technical Task Closed Justin Choi
       
      8.
      PACL - It's nessecary to initialize the portal security manager impl from the beginning in all cases Technical Task Closed Justin Choi
       
      9.
      PACL - private interfaces to support proxies Technical Task Closed Justin Choi
       
      10.
      PACL - Apply interfaces everywhere a cast to the impl exists Technical Task Closed Justin Choi
       
      11.
      PACL - Private interface so that core code can unwrap privileged beans if needed Technical Task Closed Justin Choi
       
      12.
      PACL - Move PACL specific classes into the pacl package Technical Task Closed Justin Choi
       
      13.
      PACL - Algorithm for handling permission checks on accessibility changes in local code Technical Task Closed Justin Choi
       
      14.
      PACL - AWTPermission support (richfaces uses AWT for image processing) Technical Task Closed Justin Choi
       
      15.
      PACL - Document environment variable security property Technical Task Closed Justin Choi
       
      16.
      PACL - deprecate PACLBeanHandler Technical Task Closed Brian Chan
       
      17.
      PACL - deprecate CheckMemberAccessPermission Technical Task Closed Brian Chan
       
      18.
      PACL - deprecate BaseReflectChecker Technical Task Closed Justin Choi
       
      19.
      PACL - deprecate PACLTemplateWrapper Technical Task Closed Justin Choi
       
      20.
      PACL - deprecate PACLAdvice Technical Task Closed Justin Choi
       
      21.
      PACL - deprecate PACLClassUtil Technical Task Closed Justin Choi
       
      22.
      PACL - rename inner PACLPortalLifecycle class Technical Task Closed Justin Choi
       
      23.
      PACL - eliminate most occurences of PortalSecurityManagerThreadLocal Technical Task Closed Justin Choi
       
      24.
      PACL - centralize and localize HookHotDeployListener security checks Technical Task Closed Justin Choi
       
      25.
      PACL - remove uses of CheckerUtil.isAccessControllerDoPrivileged() Technical Task Closed Justin Choi
       
      26.
      PACL - add method to get the policy on PortalSecurityManager interface Technical Task Closed Justin Choi
       
      27.
      PACL - remove unused PACLPolicy.hasPortalService method Technical Task Closed Justin Choi
       
      28.
      PACL - add missing getter to LogFactoryUtil - needed for pacl security Technical Task Closed Justin Choi
       
      29.
      PACL - remove hard coded classnames from RuntimeChecker Technical Task Closed Justin Choi
       
      30.
      PACL - unwrap HttpImpl if it's wrapped by DoPrivilegedBean Technical Task Closed Justin Choi
       
      31.
      PACL - prevent a circularity error in CentralizedThreadLocal Technical Task Closed Justin Choi
       
      32.
      PACL - add missing permission checks to ExpandoBridgeFactoryUtil Technical Task Closed Justin Choi
       
      33.
      PACL - centralize getClassLoader permission check, make sure it doesn't break any native JVM checks Technical Task Closed Justin Choi
       
      34.
      PACL - remove unused interface from InfrastructureUtil Technical Task Closed Justin Choi
       
      35.
      PACL - add missing socket permission checks to HttpUtil Technical Task Closed Justin Choi
       
      36.
      PACL - add missing permission checks to FileUtil Technical Task Closed Justin Choi
       
      37.
      PACL - prevent FileAvailabilityUtil from causing an unnecessary FilePermission check Technical Task Closed Justin Choi
       
      38.
      PACL - centralize PortalMessageBusPermission checking Technical Task Closed Justin Choi
       
      39.
      PACL - centralize ThreadPoolExecutor checking Technical Task Closed Justin Choi
       
      40.
      PACL - centralize DynamicQuery check Technical Task Closed Justin Choi
       
      41.
      PACL - centralize the Service checks Technical Task Closed Justin Choi
       
      42.
      PACL - implement security checks for PortletBagPool Technical Task Closed Justin Choi
       
      43.
      PACL - implement cross-plugin security checks for BeanLocator Technical Task Closed Justin Choi
       
      44.
      PACL - centralize PortalHookPermission checking Technical Task Closed Justin Choi
       
      45.
      PACL - remove unused code from SecurityManagerUtil Technical Task Closed Justin Choi
       
      46.
      PACL - remove remaining uses of PortalSecurityManagerThreadLocal in favour of access controllers Technical Task Closed Justin Choi
       
      47.
      PACL - fast way to get the current PACLPolicy Technical Task Closed Justin Choi
       
      48.
      PACL - ensure accessibility checks still work on public members Technical Task Closed Justin Choi
       
      49.
      PACL - always execute macro library templates in context of the portal Technical Task Closed Justin Choi
       
      50.
      PACL - method of detecting privileged callers Technical Task Closed Justin Choi
       
      51.
      PACL - method to account for differences between JVM implementations Technical Task Closed Brian Chan
       
      52.
      PACL - method for deep Liferay bean class detection Technical Task Closed Justin Choi
       
      53.
      PACL - method to dynamically wrap objects with a privileged handler Technical Task Closed Justin Choi
       
      54.
      PACL - template API abstraction to separate of context creation from initialization of utilities Technical Task Closed Justin Choi
       
      55.
      PACL - template API abstraction to allow invoking a template in the correct security context using the access controller pattern Technical Task Closed Justin Choi
       
      56.
      PACL - force "compilation" of the template within the context of the portal Technical Task Closed Justin Choi
       
      57.
      PACL - register trusted protection domains as early as possible Technical Task Closed Justin Choi
       
      58.
      PACL - DLUtil - all context utils that delegate to the portal may fail permission check Technical Task Closed Justin Choi
       
      59.
      PACL - implement trusted caller support for SecurityChecker Technical Task Closed Justin Choi
       
      60.
      PACL - implement trusted caller support for RuntimeChecker Technical Task Closed Justin Choi
       
      61.
      PACL - implement trusted caller support for ReflectChecker Technical Task Closed Justin Choi
       
      62.
      PACL - implement trusted caller support for PortalServiceChecker Technical Task Closed Justin Choi
       
      63.
      PACL - implement trusted caller support for NetChecker Technical Task Closed Justin Choi
       
      64.
      PACL - improve the performance of DoPrivilegedHandler Technical Task Closed Brian Chan
       
      65.
      PACL - update the FileChecker with improved logic Technical Task Closed Justin Choi
       
      66.
      PACL - implement trusted caller support for PortalRuntimeChecker Technical Task Closed Justin Choi
       
      67.
      PACL - separate context classloader swaping from the PACL logic in DirectRequestDispatcherFactoryImpl Technical Task Closed Justin Choi
       
      68.
      PACL - fix a small regression with the JSP compiler Technical Task Closed Justin Choi
       
      69.
      PACL - fallback onto a locally instantiated, locally applicable java.security.Policy Technical Task Closed Justin Choi
       
      70.
      PACL - fix identification of current JVM version Technical Task Closed Justin Choi
       
      71.
      PACL - wrap objects with DoPrivileged proxy where appropriate Technical Task Closed Justin Choi
       
      72.
      PACL - inject pacl into BeanLocatorImpl Technical Task Closed Justin Choi
       
      73.
      PACL - add access controller to PACLRequestDispatcherWrapper Technical Task Closed Justin Choi
       
      74.
      PACL - inject pacl into DataSourceFactoryImpl Technical Task Closed Justin Choi
       
      75.
      PACL - inject pacl into HotDeployImpl Technical Task Closed Justin Choi
       
      76.
      PACL - inject pacl into DirectRequestDispatcherFactoryImpl Technical Task Closed Justin Choi
       
      77.
      PACL - inject pacl into TemplateContextHelper Technical Task Closed Justin Choi
       
      78.
      PACL - inject pacl into PortalFilePermission Technical Task Closed Justin Choi
       
      79.
      PACL - inject pacl into PortalHookPermission Technical Task Closed Justin Choi
       
      80.
      PACL - inject pacl into PortalMessageBusPermission Technical Task Closed Justin Choi
       
      81.
      PACL - the PortalMessageBusPermission only checks send Technical Task Closed Justin Choi
       
      82.
      PACL - inject pacl into PortalRuntimePermission Technical Task Closed Justin Choi
       
      83.
      PACL - inject pacl into PortalServicePermission Technical Task Closed Justin Choi
       
      84.
      PACL - inject pacl into PortalSocketPermission Technical Task Closed Justin Choi
       
      85.
      PACL - inject pacl into PortletApplicationContext Technical Task Closed Justin Choi
       
      86.
      PACL - inject pacl into ServiceBeanAopProxy Technical Task Closed Justin Choi
       
      87.
      PACL - pre-initialize classes Technical Task Closed Justin Choi
       
      88.
      PACL - util-taglib should not be changing context classLoader Technical Task Closed Brian Chan
       
      89.
      PACL - auto proxy finder and persistence when PACL is enabled Technical Task Closed Justin Choi
       
      90.
      PACL - allow service builder plugins to unregister their MBeans Technical Task Closed Justin Choi
       
      91.
      PACL - create a test suite for testing PACL Technical Task Closed Justin Choi
       
      92.
      PACL - SQL tests Technical Task Closed Justin Choi
       
      93.
      PACL - when calling the portal's BeanLocator the servletContextName is null Technical Task Closed Justin Choi
       
      94.
      PACL - when we create PACLInitialContextFactoryBuilder we block the JVM from performing scheme based JNDI lookups Technical Task Closed Justin Choi
       
      95.
      PACL - remaining tests Technical Task Closed Justin Choi
       
      96.
      PACL - getPackage on a java proxy returns null Technical Task Closed Justin Choi
       
      97.
      PACL - make sure BeanLocator beans are properly wrapped (avoid wrapping in VelocityBeanHandler when not a velocity bean) Technical Task Closed Justin Choi
       
      98.
      PACL - prevent deep cascading permission checks on getClassLoader Technical Task Closed Justin Choi
       
      99.
      PACL - fix test-pacl-portlet (not including SQL) Technical Task Closed Justin Choi
       
      100.
      PACL - fix BeanLocatorTest to account for the bean being wrapped rather than not returned (so that i behaves like it did originally) Technical Task Closed Justin Choi
       
      101.
      PACL - don't wrap the bean if it's the portal asking for it Technical Task Closed Justin Choi
       
      102.
      PACL - SQL security checks for indexes Technical Task Closed Justin Choi
       
      103.
      PACL - JDK 5 compliance Technical Task Closed Raymond Auge
       

        Activity

        Hide
        Raymond Auge added a comment -

        Pending the last couple of reviews by Brian, this work is complete.

        Show
        Raymond Auge added a comment - Pending the last couple of reviews by Brian, this work is complete.
        Hide
        Justin Choi added a comment - - edited

        PASSED Manual Testing using the following steps:

        I. Deploying plugins built from Plugins SDK.
        Case 1: Zoe Health Care Theme
        1. In the liferay-plugins-package file, make sure the property security-manager-enabled= is set to true.
        2. Deploy PACL dependencies: chat, flash, sample-service-builder, and test-pacl.
        3. Deploy Zoe Health Care dependencies: 1-3-1 layout, resource-importer-web, web-form-portlet, zoe-healthcare-theme.
        4. Create a site from the Zoe Healthcare Site Template.
        5. Verify that the site is created and that the site can be modified.
        6. Add a user.
        7. Sign in as the new user and verify each plugin and site display.

        II. Deploying plugins downloaded from Marketplace.
        Case 2: Kaleo & Kaleo Forms
        1. In the liferay-plugins-package file, make sure the property security-manager-enabled= is set to true.
        2. Deploy PACL dependencies: chat, flash, sample-service-builder, and test-pacl.
        3. Go to the MP site and download the Kaleo and Kaleo Forms plugins.
        4. Install the plugins.
        5. Go to > Control Panel > Plugins Security Manager
        6. Verify that the plugins are available on the Control Panel and Portal.

        III. Generate a new policy
        Case 3: Youtube
        1. In the liferay-plugins-package file for Youtube-portlet, set the property security-manager-enabled= is set to generate.
        2. Deploy PACL dependencies: chat, flash, sample-service-builder, and test-pacl.
        3. Verify the portlet deploys.

        IV: Portlets on the Portal:
        1. Deploy PACL dependencies.
        2. Add Asset Publisher to the page.
        3. Add the Calendar portlet to the page.
        4. Using the asset publisher, add content.
        5. Using the calendar portlet, add several events - stand alone, all day, repeating events, etc.

        Fixed on:
        Tomcat 7.0 + MySQL 5. Portal 6.1.x EE GIT ID: 83bd5bbef891721ae6731eec04be85c1fdda22ea. Plugins 6.1.x EE GIT ID: d054c7d96b7c4b3d5c61bb45062175e10e4adda5.
        Tomcat 7.0 + MySQL 5. JDK7. Portal 6.2.x GIT ID: 92ef0b20a4cac103e36ead81f954665b1a6668d0. Plugins 6.2.x GIT ID: e10ff02e4775d30760513327186c90fcd86f78f5.

        Show
        Justin Choi added a comment - - edited PASSED Manual Testing using the following steps: I. Deploying plugins built from Plugins SDK. Case 1: Zoe Health Care Theme 1. In the liferay-plugins-package file, make sure the property security-manager-enabled= is set to true. 2. Deploy PACL dependencies: chat, flash, sample-service-builder, and test-pacl. 3. Deploy Zoe Health Care dependencies: 1-3-1 layout, resource-importer-web, web-form-portlet, zoe-healthcare-theme. 4. Create a site from the Zoe Healthcare Site Template. 5. Verify that the site is created and that the site can be modified. 6. Add a user. 7. Sign in as the new user and verify each plugin and site display. II. Deploying plugins downloaded from Marketplace. Case 2: Kaleo & Kaleo Forms 1. In the liferay-plugins-package file, make sure the property security-manager-enabled= is set to true. 2. Deploy PACL dependencies: chat, flash, sample-service-builder, and test-pacl. 3. Go to the MP site and download the Kaleo and Kaleo Forms plugins. 4. Install the plugins. 5. Go to > Control Panel > Plugins Security Manager 6. Verify that the plugins are available on the Control Panel and Portal. III. Generate a new policy Case 3: Youtube 1. In the liferay-plugins-package file for Youtube-portlet, set the property security-manager-enabled= is set to generate . 2. Deploy PACL dependencies: chat, flash, sample-service-builder, and test-pacl. 3. Verify the portlet deploys. IV: Portlets on the Portal: 1. Deploy PACL dependencies. 2. Add Asset Publisher to the page. 3. Add the Calendar portlet to the page. 4. Using the asset publisher, add content. 5. Using the calendar portlet, add several events - stand alone, all day, repeating events, etc. Fixed on: Tomcat 7.0 + MySQL 5. Portal 6.1.x EE GIT ID: 83bd5bbef891721ae6731eec04be85c1fdda22ea. Plugins 6.1.x EE GIT ID: d054c7d96b7c4b3d5c61bb45062175e10e4adda5. Tomcat 7.0 + MySQL 5. JDK7. Portal 6.2.x GIT ID: 92ef0b20a4cac103e36ead81f954665b1a6668d0. Plugins 6.2.x GIT ID: e10ff02e4775d30760513327186c90fcd86f78f5.
        Hide
        Tomas Polesovsky added a comment -

        Categorizing into security epic

        Show
        Tomas Polesovsky added a comment - Categorizing into security epic

          People

          • Votes:
            3 Vote for this issue
            Watchers:
            16 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development

                Structure Helper Panel