Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-33047

PACL - As a developer I would like reasonable java operations such as classloading, reflection, native library access within libraries I include to not prevent me from developing plugins for the marketplace

    Details

      Description

      There are a great number of issues currently in developing plugins for the marketplace (which require PACL to be enabled).

      One only needs to browse http://www.liferay.com/community/forums/-/message_boards/category/10919228 to find multiple issues, mostly related to perfectly normal and acceptable java operations.

        Issue Links

        1.
        PACL - Rename PACLClassLoaderUtil to ClassLoaderUtil to begin uncluttering the portal of PACL naming Technical Task Closed Justin Choi  
         
        2.
        PACL - java.security.Policy based PACL implementation (a.k.a. PACLv2) Technical Task Closed Justin Choi  
         
        3.
        PACL - Centralize initialization of PACL into a private SecurityManagerUtil class Technical Task Closed Justin Choi  
         
        4.
        PACL - Use new SecurityManagerUtil and initialize as early as possible Technical Task Closed Justin Choi  
         
        5.
        PACL- Initialize the new java.security.Policy Technical Task Closed Justin Choi  
         
        6.
        PACL - Convert to boolean implies API method to match j.s.Policy Technical Task Closed Justin Choi  
         
        7.
        PACL - Implement a bean post processor which will process @DoPrivileged annotations Technical Task Closed Justin Choi  
         
        8.
        PACL - It's nessecary to initialize the portal security manager impl from the beginning in all cases Technical Task Closed Justin Choi  
         
        9.
        PACL - private interfaces to support proxies Technical Task Closed Justin Choi  
         
        10.
        PACL - Apply interfaces everywhere a cast to the impl exists Technical Task Closed Justin Choi  
         
        11.
        PACL - Private interface so that core code can unwrap privileged beans if needed Technical Task Closed Justin Choi  
         
        12.
        PACL - Move PACL specific classes into the pacl package Technical Task Closed Justin Choi  
         
        13.
        PACL - Algorithm for handling permission checks on accessibility changes in local code Technical Task Closed Justin Choi  
         
        14.
        PACL - AWTPermission support (richfaces uses AWT for image processing) Technical Task Closed Justin Choi  
         
        15.
        PACL - Document environment variable security property Technical Task Closed Justin Choi  
         
        16.
        PACL - deprecate PACLBeanHandler Technical Task Closed Brian Chan  
         
        17.
        PACL - deprecate CheckMemberAccessPermission Technical Task Closed Brian Chan  
         
        18.
        PACL - deprecate BaseReflectChecker Technical Task Closed Justin Choi  
         
        19.
        PACL - deprecate PACLTemplateWrapper Technical Task Closed Justin Choi  
         
        20.
        PACL - deprecate PACLAdvice Technical Task Closed Justin Choi  
         
        21.
        PACL - deprecate PACLClassUtil Technical Task Closed Justin Choi  
         
        22.
        PACL - rename inner PACLPortalLifecycle class Technical Task Closed Justin Choi  
         
        23.
        PACL - eliminate most occurences of PortalSecurityManagerThreadLocal Technical Task Closed Justin Choi  
         
        24.
        PACL - centralize and localize HookHotDeployListener security checks Technical Task Closed Justin Choi  
         
        25.
        PACL - remove uses of CheckerUtil.isAccessControllerDoPrivileged() Technical Task Closed Justin Choi  
         
        26.
        PACL - add method to get the policy on PortalSecurityManager interface Technical Task Closed Justin Choi  
         
        27.
        PACL - remove unused PACLPolicy.hasPortalService method Technical Task Closed Justin Choi  
         
        28.
        PACL - add missing getter to LogFactoryUtil - needed for pacl security Technical Task Closed Justin Choi  
         
        29.
        PACL - remove hard coded classnames from RuntimeChecker Technical Task Closed Justin Choi  
         
        30.
        PACL - unwrap HttpImpl if it's wrapped by DoPrivilegedBean Technical Task Closed Justin Choi  
         
        31.
        PACL - prevent a circularity error in CentralizedThreadLocal Technical Task Closed Justin Choi  
         
        32.
        PACL - add missing permission checks to ExpandoBridgeFactoryUtil Technical Task Closed Justin Choi  
         
        33.
        PACL - centralize getClassLoader permission check, make sure it doesn't break any native JVM checks Technical Task Closed Justin Choi  
         
        34.
        PACL - remove unused interface from InfrastructureUtil Technical Task Closed Justin Choi  
         
        35.
        PACL - add missing socket permission checks to HttpUtil Technical Task Closed Justin Choi  
         
        36.
        PACL - add missing permission checks to FileUtil Technical Task Closed Justin Choi  
         
        37.
        PACL - prevent FileAvailabilityUtil from causing an unnecessary FilePermission check Technical Task Closed Justin Choi  
         
        38.
        PACL - centralize PortalMessageBusPermission checking Technical Task Closed Justin Choi  
         
        39.
        PACL - centralize ThreadPoolExecutor checking Technical Task Closed Justin Choi  
         
        40.
        PACL - centralize DynamicQuery check Technical Task Closed Justin Choi  
         
        41.
        PACL - centralize the Service checks Technical Task Closed Justin Choi  
         
        42.
        PACL - implement security checks for PortletBagPool Technical Task Closed Justin Choi  
         
        43.
        PACL - implement cross-plugin security checks for BeanLocator Technical Task Closed Justin Choi  
         
        44.
        PACL - centralize PortalHookPermission checking Technical Task Closed Justin Choi  
         
        45.
        PACL - remove unused code from SecurityManagerUtil Technical Task Closed Justin Choi  
         
        46.
        PACL - remove remaining uses of PortalSecurityManagerThreadLocal in favour of access controllers Technical Task Closed Justin Choi  
         
        47.
        PACL - fast way to get the current PACLPolicy Technical Task Closed Justin Choi  
         
        48.
        PACL - ensure accessibility checks still work on public members Technical Task Closed Justin Choi  
         
        49.
        PACL - always execute macro library templates in context of the portal Technical Task Closed Justin Choi  
         
        50.
        PACL - method of detecting privileged callers Technical Task Closed Justin Choi  
         
        51.
        PACL - method to account for differences between JVM implementations Technical Task Closed Brian Chan  
         
        52.
        PACL - method for deep Liferay bean class detection Technical Task Closed Justin Choi  
         
        53.
        PACL - method to dynamically wrap objects with a privileged handler Technical Task Closed Justin Choi  
         
        54.
        PACL - template API abstraction to separate of context creation from initialization of utilities Technical Task Closed Justin Choi  
         
        55.
        PACL - template API abstraction to allow invoking a template in the correct security context using the access controller pattern Technical Task Closed Justin Choi  
         
        56.
        PACL - force "compilation" of the template within the context of the portal Technical Task Closed Justin Choi  
         
        57.
        PACL - register trusted protection domains as early as possible Technical Task Closed Justin Choi  
         
        58.
        PACL - DLUtil - all context utils that delegate to the portal may fail permission check Technical Task Closed Justin Choi  
         
        59.
        PACL - implement trusted caller support for SecurityChecker Technical Task Closed Justin Choi  
         
        60.
        PACL - implement trusted caller support for RuntimeChecker Technical Task Closed Justin Choi  
         
        61.
        PACL - implement trusted caller support for ReflectChecker Technical Task Closed Justin Choi  
         
        62.
        PACL - implement trusted caller support for PortalServiceChecker Technical Task Closed Justin Choi  
         
        63.
        PACL - implement trusted caller support for NetChecker Technical Task Closed Justin Choi  
         
        64.
        PACL - improve the performance of DoPrivilegedHandler Technical Task Closed Brian Chan  
         
        65.
        PACL - update the FileChecker with improved logic Technical Task Closed Justin Choi  
         
        66.
        PACL - implement trusted caller support for PortalRuntimeChecker Technical Task Closed Justin Choi  
         
        67.
        PACL - separate context classloader swaping from the PACL logic in DirectRequestDispatcherFactoryImpl Technical Task Closed Justin Choi  
         
        68.
        PACL - fix a small regression with the JSP compiler Technical Task Closed Justin Choi  
         
        69.
        PACL - fallback onto a locally instantiated, locally applicable java.security.Policy Technical Task Closed Justin Choi  
         
        70.
        PACL - fix identification of current JVM version Technical Task Closed Justin Choi  
         
        71.
        PACL - wrap objects with DoPrivileged proxy where appropriate Technical Task Closed Justin Choi  
         
        72.
        PACL - inject pacl into BeanLocatorImpl Technical Task Closed Justin Choi  
         
        73.
        PACL - add access controller to PACLRequestDispatcherWrapper Technical Task Closed Justin Choi  
         
        74.
        PACL - inject pacl into DataSourceFactoryImpl Technical Task Closed Justin Choi  
         
        75.
        PACL - inject pacl into HotDeployImpl Technical Task Closed Justin Choi  
         
        76.
        PACL - inject pacl into DirectRequestDispatcherFactoryImpl Technical Task Closed Justin Choi  
         
        77.
        PACL - inject pacl into TemplateContextHelper Technical Task Closed Justin Choi  
         
        78.
        PACL - inject pacl into PortalFilePermission Technical Task Closed Justin Choi  
         
        79.
        PACL - inject pacl into PortalHookPermission Technical Task Closed Justin Choi  
         
        80.
        PACL - inject pacl into PortalMessageBusPermission Technical Task Closed Justin Choi  
         
        81.
        PACL - the PortalMessageBusPermission only checks send Technical Task Closed Justin Choi  
         
        82.
        PACL - inject pacl into PortalRuntimePermission Technical Task Closed Justin Choi  
         
        83.
        PACL - inject pacl into PortalServicePermission Technical Task Closed Justin Choi  
         
        84.
        PACL - inject pacl into PortalSocketPermission Technical Task Closed Justin Choi  
         
        85.
        PACL - inject pacl into PortletApplicationContext Technical Task Closed Justin Choi  
         
        86.
        PACL - inject pacl into ServiceBeanAopProxy Technical Task Closed Justin Choi  
         
        87.
        PACL - pre-initialize classes Technical Task Closed Justin Choi  
         
        88.
        PACL - util-taglib should not be changing context classLoader Technical Task Closed Brian Chan  
         
        89.
        PACL - auto proxy finder and persistence when PACL is enabled Technical Task Closed Justin Choi  
         
        90.
        PACL - allow service builder plugins to unregister their MBeans Technical Task Closed Justin Choi  
         
        91.
        PACL - create a test suite for testing PACL Technical Task Closed Justin Choi  
         
        92.
        PACL - SQL tests Technical Task Closed Justin Choi  
         
        93.
        PACL - when calling the portal's BeanLocator the servletContextName is null Technical Task Closed Justin Choi  
         
        94.
        PACL - when we create PACLInitialContextFactoryBuilder we block the JVM from performing scheme based JNDI lookups Technical Task Closed Justin Choi  
         
        95.
        PACL - remaining tests Technical Task Closed Justin Choi  
         
        96.
        PACL - getPackage on a java proxy returns null Technical Task Closed Justin Choi  
         
        97.
        PACL - make sure BeanLocator beans are properly wrapped (avoid wrapping in VelocityBeanHandler when not a velocity bean) Technical Task Closed Justin Choi  
         
        98.
        PACL - prevent deep cascading permission checks on getClassLoader Technical Task Closed Justin Choi  
         
        99.
        PACL - fix test-pacl-portlet (not including SQL) Technical Task Closed Justin Choi  
         
        100.
        PACL - fix BeanLocatorTest to account for the bean being wrapped rather than not returned (so that i behaves like it did originally) Technical Task Closed Justin Choi  
         
        101.
        PACL - don't wrap the bean if it's the portal asking for it Technical Task Closed Justin Choi  
         
        102.
        PACL - SQL security checks for indexes Technical Task Closed Justin Choi  
         
        103.
        PACL - JDK 5 compliance Technical Task Closed Raymond Auge  
         

          Activity

          Hide
          raymond.auge Raymond Auge added a comment -

          Pending the last couple of reviews by Brian, this work is complete.

          Show
          raymond.auge Raymond Auge added a comment - Pending the last couple of reviews by Brian, this work is complete.
          Hide
          justin.choi Justin Choi added a comment - - edited

          PASSED Manual Testing using the following steps:

          I. Deploying plugins built from Plugins SDK.
          Case 1: Zoe Health Care Theme
          1. In the liferay-plugins-package file, make sure the property security-manager-enabled= is set to true.
          2. Deploy PACL dependencies: chat, flash, sample-service-builder, and test-pacl.
          3. Deploy Zoe Health Care dependencies: 1-3-1 layout, resource-importer-web, web-form-portlet, zoe-healthcare-theme.
          4. Create a site from the Zoe Healthcare Site Template.
          5. Verify that the site is created and that the site can be modified.
          6. Add a user.
          7. Sign in as the new user and verify each plugin and site display.

          II. Deploying plugins downloaded from Marketplace.
          Case 2: Kaleo & Kaleo Forms
          1. In the liferay-plugins-package file, make sure the property security-manager-enabled= is set to true.
          2. Deploy PACL dependencies: chat, flash, sample-service-builder, and test-pacl.
          3. Go to the MP site and download the Kaleo and Kaleo Forms plugins.
          4. Install the plugins.
          5. Go to > Control Panel > Plugins Security Manager
          6. Verify that the plugins are available on the Control Panel and Portal.

          III. Generate a new policy
          Case 3: Youtube
          1. In the liferay-plugins-package file for Youtube-portlet, set the property security-manager-enabled= is set to generate.
          2. Deploy PACL dependencies: chat, flash, sample-service-builder, and test-pacl.
          3. Verify the portlet deploys.

          IV: Portlets on the Portal:
          1. Deploy PACL dependencies.
          2. Add Asset Publisher to the page.
          3. Add the Calendar portlet to the page.
          4. Using the asset publisher, add content.
          5. Using the calendar portlet, add several events - stand alone, all day, repeating events, etc.

          Fixed on:
          Tomcat 7.0 + MySQL 5. Portal 6.1.x EE GIT ID: 83bd5bbef891721ae6731eec04be85c1fdda22ea. Plugins 6.1.x EE GIT ID: d054c7d96b7c4b3d5c61bb45062175e10e4adda5.
          Tomcat 7.0 + MySQL 5. JDK7. Portal 6.2.x GIT ID: 92ef0b20a4cac103e36ead81f954665b1a6668d0. Plugins 6.2.x GIT ID: e10ff02e4775d30760513327186c90fcd86f78f5.

          Show
          justin.choi Justin Choi added a comment - - edited PASSED Manual Testing using the following steps: I. Deploying plugins built from Plugins SDK. Case 1: Zoe Health Care Theme 1. In the liferay-plugins-package file, make sure the property security-manager-enabled= is set to true. 2. Deploy PACL dependencies: chat, flash, sample-service-builder, and test-pacl. 3. Deploy Zoe Health Care dependencies: 1-3-1 layout, resource-importer-web, web-form-portlet, zoe-healthcare-theme. 4. Create a site from the Zoe Healthcare Site Template. 5. Verify that the site is created and that the site can be modified. 6. Add a user. 7. Sign in as the new user and verify each plugin and site display. II. Deploying plugins downloaded from Marketplace. Case 2: Kaleo & Kaleo Forms 1. In the liferay-plugins-package file, make sure the property security-manager-enabled= is set to true. 2. Deploy PACL dependencies: chat, flash, sample-service-builder, and test-pacl. 3. Go to the MP site and download the Kaleo and Kaleo Forms plugins. 4. Install the plugins. 5. Go to > Control Panel > Plugins Security Manager 6. Verify that the plugins are available on the Control Panel and Portal. III. Generate a new policy Case 3: Youtube 1. In the liferay-plugins-package file for Youtube-portlet, set the property security-manager-enabled= is set to generate . 2. Deploy PACL dependencies: chat, flash, sample-service-builder, and test-pacl. 3. Verify the portlet deploys. IV: Portlets on the Portal: 1. Deploy PACL dependencies. 2. Add Asset Publisher to the page. 3. Add the Calendar portlet to the page. 4. Using the asset publisher, add content. 5. Using the calendar portlet, add several events - stand alone, all day, repeating events, etc. Fixed on: Tomcat 7.0 + MySQL 5. Portal 6.1.x EE GIT ID: 83bd5bbef891721ae6731eec04be85c1fdda22ea. Plugins 6.1.x EE GIT ID: d054c7d96b7c4b3d5c61bb45062175e10e4adda5. Tomcat 7.0 + MySQL 5. JDK7. Portal 6.2.x GIT ID: 92ef0b20a4cac103e36ead81f954665b1a6668d0. Plugins 6.2.x GIT ID: e10ff02e4775d30760513327186c90fcd86f78f5.
          Hide
          tomas.polesovsky Tomas Polesovsky added a comment -

          Categorizing into security epic

          Show
          tomas.polesovsky Tomas Polesovsky added a comment - Categorizing into security epic

            People

            • Votes:
              3 Vote for this issue
              Watchers:
              16 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development

                  Subcomponents