Uploaded image for project: 'PUBLIC - Liferay Documentation'
  1. PUBLIC - Liferay Documentation
  2. LRDOCS-703

Introduce PACL and document the Security Policy requirements for app servers/servlet containers

    Details

    • Type: New Article
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Fix Version/s: 6.2.x
    • Component/s: Core Infrastructure
    • Labels:
      None
    • Environment:
      App server installation, Portal bundle creation

      Description

      Introduce PACL (admin-oriented docs) and point to the developer docs for more documentation on PACL.

      There are currently limitations within certain Java EE reference implementations which prevent proper dynamic loading of security managers. This issue results in that in order for PACL to behave properly security must be minimally pre-configured for the app server/servlet container.

      Option 1 - Disable PACL

      This will work for all app servers (Not recommended).

      Set the portal property:

      portal.security.manager.strategy=default
      

      Option 2 - Configured Security in App server/Servlet container

      1. set liferay portal property
        portal.security.manager.strategy=liferay
        

      Glassfish

      1. Enable the security manager. This can be accomplished by editing the domain configuration file
        ${app.server.glassfish.dir}/domains/domain1/config/domain.xml
        

        making sure it contains

        <java-config ..>
        	...
        	<jvm-options>-Djava.security.manager</jvm-options>
        	...
        </java-config>
        
      2. Add required permissions to the server policy configuration file
        ${app.server.glassfish.dir}/domains/domain1/config/server.policy
        

        The required permissions are:

        grant {
        	permission java.security.AllPermission;
        };
        
      3. There is a special ant invocation that can be used to completely setup a Glassfish app server with security enabled.
        From the root of the Liferay source tree, execute the following ant command:
        ant -f build-dist.xml unzip-glassfish -Djava.security=true
        

      Tomcat

      1. Enable the security manager. This can be accomplished by editing the setenv.[bat|sh] file
        ${app.server.tomcat.dir}/bin/setenv[bat|sh]
        

        making sure the CATALINA_OPTS variable contains

        -Djava.security.manager -Djava.security.policy=$CATALINA_BASE/conf/catalina.policy
        
      2. Add required permissions to the server policy configuration file
        ${app.server.tomcat.dir}/conf/catalina.policy
        

        The required permissions are:

        grant {
        	permission java.security.AllPermission;
        };
        
      3. There is a special ant invocation that can be used to completely setup a Tomcat servlet container with security enabled.
        From the root of the Liferay source tree, execute the following ant command:
        ant -f build-dist.xml unzip-tomcat -Djava.security=true
        

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Packages

                Version Package
                6.2.x