Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-34863

PACL AccessControlException with Mojarra JSF portlets with @PostConstruct annotated managed-bean methods

    Details

      Description

      During PACL testing for the Liferay Faces demo portlets, we ran into a problem with portlets that have managed-beans with @PostConstruct annotated methods.

      The following occurs when security-manager-enabled=generate

      Steps to reproduce:

      1. Startup Liferay 6.2.0-SNAPSHOT (Tomcat 7)

      2. Download the Liferay 6.2.x compatible version of the jsf2-export-pdf-portlet WAR from the snapshot repository:
      https://oss.sonatype.org/content/repositories/snapshots/com/liferay/faces/demos/jsf2-export-pdf-portlet/3.2.3-ga4-SNAPSHOT/

      3. Copy the war downloaded in step#2 to the $LIFERAY_HOME/deploy folder

      4. Shut down Tomcat

      5. Edit the tomcat/webapps/jsf2-export-pdf-portlet/WEB-INF/liferay-plugin-package.properties file and set the following property:

      security-manager-enabled=generate

      6. Restart Tomcat

      7. Add the portlet to a portal page

      8. Reload the page.

      If the bug is fixed, then you should be able to click on one of the links to export the PDF.

      If the bug still exists, then the following stacktrace will appear in the log:

      Caused by: java.security.AccessControlException: access denied (java.lang.reflect.ReflectPermission suppressAccessChecks)
      	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
      	at java.security.AccessController.checkPermission(AccessController.java:549)
      	at com.liferay.portal.security.pacl.PortalSecurityManagerImpl.checkPermission(PortalSecurityManagerImpl.java:287)
      	at java.lang.reflect.AccessibleObject.setAccessible(AccessibleObject.java:107)
      	at com.sun.faces.vendor.WebContainerInjectionProvider.invokeAnnotatedMethod(WebContainerInjectionProvider.java:111)
      	at com.sun.faces.vendor.WebContainerInjectionProvider.invokePostConstruct(WebContainerInjectionProvider.java:95)
      	at com.sun.faces.mgbean.BeanBuilder.invokePostConstruct(BeanBuilder.java:223)
      	at com.sun.faces.mgbean.BeanBuilder.build(BeanBuilder.java:105)
      	at com.sun.faces.mgbean.BeanManager.createAndPush(BeanManager.java:408)
      	at com.sun.faces.mgbean.BeanManager.create(BeanManager.java:268)
      	at com.sun.faces.el.ManagedBeanELResolver.resolveBean(ManagedBeanELResolver.java:244)
      	at com.sun.faces.el.ManagedBeanELResolver.getValue(ManagedBeanELResolver.java:116)
      	at com.sun.faces.el.DemuxCompositeELResolver._getValue(DemuxCompositeELResolver.java:176)
      	at com.sun.faces.el.DemuxCompositeELResolver.getValue(DemuxCompositeELResolver.java:203)
      	at org.jboss.el.parser.AstIdentifier.getValue(AstIdentifier.java:44)
      	at org.jboss.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:186)
      	at com.sun.faces.mgbean.BeanBuilder$Expression.evaluate(BeanBuilder.java:591)
      	at com.sun.faces.mgbean.ManagedBeanBuilder$BakedBeanProperty.set(ManagedBeanBuilder.java:606)
      

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Days since last comment:
                  6 years, 7 weeks ago