Combination View Flat View Tree View
Vitaly Lyapin
Issues with PACL
January 10, 2013 11:21 PM
Answer

Vitaly Lyapin

Rank: New Member

Posts: 4

Join Date: November 1, 2012

Recent Posts

Hello!

Seems that Liferay PACL security rules doesn't support some JDBC libraries like orbroker (http://code.google.com/p/orbroker/) and blocks connections to data source. And this cannot be fixed only with PACL settings liferay-plugin-package.property file.
This is blocking issue for us, because we cannot post application into Marketplace with security off.

In our project we got two types of issues:
1. "Attempt to reflect", which is caused by ReflectChecker. This checker doesn't have rules for java.io.ObjectStreamClass which is used by postgres jdbc driver so we got an exception (only few classes are allowed to reflect in Liferay sources).
This appear in Liferay CE 6.1.1+ and in Liferay EE 6.1.20

2. In Liferay CE (but not in EE) we can fix previous issue with adding "security-manager-sockets-connect" with address of our postgres server (no ideas how this affects reflect checker), but this leads to another two problems:
- for production version we must fill "security-manager-sockets-connect" with list of all addresses we want to connect, but this is impossible, because we cannot predict all addresses of DB servers which users can use
- even if we add this addresses, we got another exception with RuntimeChecker: in Liferay sources it allows read file descriptor only from java.lang.ProcessImpl, but in our code we connect to DB via network, and code fail on checking read file descriptor permission from java.net.SocketInputStream.

It will be great if PACL will be more flexible without a lot of hardcoded restrictions.
Ray Augé
RE: Issues with PACL
January 15, 2013 12:47 PM
Answer

Ray Augé

LIFERAY STAFF

Rank: Liferay Legend

Posts: 1171

Join Date: February 7, 2005

Recent Posts

We've fixed the socket naming issue with this:

http://issues.liferay.com/browse/LPS-32235

This lets you define the full syntax for SocketPermissions defined here (including wildcards):

http://docs.oracle.com/javase/6/docs/api/java/net/SocketPermission.html

i.e. *:* works to mean any host at any port.
Ray Augé
RE: Issues with PACL
January 15, 2013 12:49 PM
Answer

Ray Augé

LIFERAY STAFF

Rank: Liferay Legend

Posts: 1171

Join Date: February 7, 2005

Recent Posts

Regarding the FileDescriptor issue. Can you file a ticket for that specifically with perhaps a minimal test case? It would be it easier to get to it fast.
Ray Augé
RE: Issues with PACL
January 15, 2013 1:06 PM
Answer

Ray Augé

LIFERAY STAFF

Rank: Liferay Legend

Posts: 1171

Join Date: February 7, 2005

Recent Posts

Also, there is no such thing I can find as java.net.SocketInputStream in Java6 or Java7. Can you clarify or identify the correct class?
Vitaly Lyapin
RE: Issues with PACL
January 17, 2013 3:59 AM
Answer

Vitaly Lyapin

Rank: New Member

Posts: 4

Join Date: November 1, 2012

Recent Posts

I create task here http://issues.liferay.com/browse/LPS-32386
Sample project and full stack trace included.