Combination View Flat View Tree View
François Prot
PACL : missing configuration options ?
January 25, 2013 8:53 AM
Answer

François Prot

Rank: New Member

Posts: 1

Join Date: August 27, 2008

Recent Posts

Hello !

We have developed a Web Proxy portlet that is working fine on Liferay (already available on Github) and we are looking forward to publish it on Liferay Marketplace.

As indicated in the developer documentation, I enabled the security manager and tried to find the right configuration to deploy and run my portlet. I get the following exception when my portlet is deployed :

 1Caused by: java.lang.SecurityException: Attempted to getProperty.ssl.KeyManagerFactory.algorithm on
 2    at com.liferay.portal.security.pacl.checker.BaseChecker.throwSecurityException(BaseChecker.java:259)
 3    at com.liferay.portal.security.pacl.checker.SecurityChecker.checkPermission(SecurityChecker.java:52)
 4    at com.liferay.portal.security.pacl.ActivePACLPolicy.checkPermission(ActivePACLPolicy.java:55)
 5    at com.liferay.portal.security.lang.PortalSecurityManager.checkPermission(PortalSecurityManager.java:103)
 6    at com.liferay.portal.security.lang.PortalSecurityManager.checkPermission(PortalSecurityManager.java:74)
 7    at java.security.Security.getProperty(Security.java:725)
 8    at javax.net.ssl.KeyManagerFactory$1.run(KeyManagerFactory.java:55)
 9    at java.security.AccessController.doPrivileged(Native Method)
10    at javax.net.ssl.KeyManagerFactory.getDefaultAlgorithm(KeyManagerFactory.java:53)
11    at org.apache.http.conn.ssl.SSLSocketFactory.createSSLContext(SSLSocketFactory.java:223)
12    at org.apache.http.conn.ssl.SSLSocketFactory.<init>(SSLSocketFactory.java:417)
13    at org.apache.http.conn.ssl.SSLSocketFactory.<init>(SSLSocketFactory.java:450)
14    at fr.ippon.wip.http.hc.HttpClientResourceManager.<init>(HttpClientResourceManager.java:101)
15    ... 35 more


From the source code of SecurityChecker it seems there is currently no way to configure the security manager in order to accept this permission (java.security.SecurityPermission/getProperty). I hope that the next release of the portal will provide a configuration option that allows our portlet to run properly...

However, I fear that the current strategy (reject all permission unless there is a configuration option that allows it) will cause many more difficulties after this one is resolved, and I cannot test my portlet further to have a global view of all needed permissions until this problem is fixed. Do you have any plan to allow publication of "untrusted" applications on the market-place ?

Regards
James Falkner
RE: PACL : missing configuration options ?
January 28, 2013 11:38 AM
Answer

James Falkner

LIFERAY STAFF

Rank: Liferay Legend

Posts: 1222

Join Date: September 17, 2010

Recent Posts

François Prot:
Hello !

We have developed a Web Proxy portlet that is working fine on Liferay (already available on Github) and we are looking forward to publish it on Liferay Marketplace.

As indicated in the developer documentation, I enabled the security manager and tried to find the right configuration to deploy and run my portlet. I get the following exception when my portlet is deployed :

1Caused by: java.lang.SecurityException: Attempted to getProperty.ssl.KeyManagerFactory.algorithm on
2    at com.liferay.portal.security.pacl.checker.BaseChecker.throwSecurityException(BaseChecker.java:259)
3    ... 35 more


From the source code of SecurityChecker it seems there is currently no way to configure the security manager in order to accept this permission (java.security.SecurityPermission/getProperty). I hope that the next release of the portal will provide a configuration option that allows our portlet to run properly...

However, I fear that the current strategy (reject all permission unless there is a configuration option that allows it) will cause many more difficulties after this one is resolved, and I cannot test my portlet further to have a global view of all needed permissions until this problem is fixed. Do you have any plan to allow publication of "untrusted" applications on the market-place ?

Regards


This is probably related to, if not a duplicate of, LPS-30766, which should be fixed in the upcoming GA3 Release. See this thread regarding "untrusted" apps.