Combination View Flat View Tree View
David H Nebinger
PACL and executing java...
April 24, 2013 6:02 AM
Answer

David H Nebinger

Rank: Liferay Legend

Posts: 7157

Join Date: September 1, 2006

Recent Posts

So security-manager-files-execute is used to indicate that a plugin is going to execute a process. The examples from the dev guide seem to indicate that the full path is required...

So how does one indicate that a plugin is going to spawn a java app? Or any app that happens to be in the server's path?

Does it handle knowing that "java" may be just "java", but it also might be "java.exe", or do I have to specify both?
Ray Augé
RE: PACL and executing java...
April 24, 2013 6:30 AM
Answer

Ray Augé

LIFERAY STAFF

Rank: Liferay Legend

Posts: 1171

Join Date: February 7, 2005

Recent Posts

You don't need a full path. You can use any of the many expansions available:

https://github.com/liferay/liferay-portal/blob/6.1.x/portal-impl/src/com/liferay/portal/security/pacl/checker/FileChecker.java#L90

These are being documented and should be available with the next documentation updates.
David H Nebinger
RE: PACL and executing java...
April 24, 2013 6:58 AM
Answer

David H Nebinger

Rank: Liferay Legend

Posts: 7157

Join Date: September 1, 2006

Recent Posts

Yeah, I saw all of these and actually use some of them, but how would I specify that I'm going to be running "java"? On a windows box it would be "java.exe" but on a unix or mac system it would be just "java". And for the different jvms, do they all use the name "java"?

This leads to another question, the java process I want to launch will be using some jars. Does the portal's PACL security apply to the java process in some way?
Ray Augé
RE: PACL and executing java...
April 24, 2013 7:05 AM
Answer

Ray Augé

LIFERAY STAFF

Rank: Liferay Legend

Posts: 1171

Join Date: February 7, 2005

Recent Posts

You have to indicate all possibilities. That is the nature of binary executables!

You'd have to do the same thing in straight up java security to cover the cross platform cases. Same goes for libraries, where you it may be called .so on Linux, but .dll on windows. Your security policy has to cover all the possible cases you want to support.

No security will be applied to this sub process.
David H Nebinger
RE: PACL and executing java...
April 24, 2013 7:09 AM
Answer

David H Nebinger

Rank: Liferay Legend

Posts: 7157

Join Date: September 1, 2006

Recent Posts

Eeek!

To that end, I guess it would be better to create a shell and batch script. The scripts can invoke java based on the system's java location, but I can specify for PACL the location of the scripts...
David H Nebinger
RE: PACL and executing java...
April 24, 2013 7:19 AM
Answer

David H Nebinger

Rank: Liferay Legend

Posts: 7157

Join Date: September 1, 2006

Recent Posts

Or am I missing an obvious way to use %JAVA_HOME%/bin/java.exe or $JAVA_HOME/bin/java?
Jack Bakker
RE: PACL and executing java...
April 24, 2013 7:43 AM
Answer

Jack Bakker

Rank: Liferay Master

Posts: 615

Join Date: January 3, 2010

Recent Posts

Good luck Ray with avoiding the eek over different o/s. Hmmm... PACL or OSGi, I say you focus on OSGi - it is fundamental ; can't answer everything especially in the social
David H Nebinger
RE: PACL and executing java...
April 24, 2013 7:51 AM
Answer

David H Nebinger

Rank: Liferay Legend

Posts: 7157

Join Date: September 1, 2006

Recent Posts

Who am I to direct Liferay's priorities? emoticon

Marketplace plugins or OSGI? Both would seem to be tough nuts to crack...
David H Nebinger
RE: PACL and executing java...
April 24, 2013 8:12 AM
Answer

David H Nebinger

Rank: Liferay Legend

Posts: 7157

Join Date: September 1, 2006

Recent Posts

Ah, well, I wrote up a bug for it so the idea doesn't get lost. It's LPS-34711.
Ray Augé
RE: PACL and executing java...
April 24, 2013 8:31 AM
Answer

Ray Augé

LIFERAY STAFF

Rank: Liferay Legend

Posts: 1171

Join Date: February 7, 2005

Recent Posts

Hey Dave! Why not simply call the Java compiler API rather than call the java process?

OTOH, adding ${java.home} to the list of expansions is not a bad idea.
Ray Augé
RE: PACL and executing java...
April 24, 2013 8:34 AM
Answer

Ray Augé

LIFERAY STAFF

Rank: Liferay Legend

Posts: 1171

Join Date: February 7, 2005

Recent Posts

Also, a useful, but missing, expansion is not a "bug".

Can you change it to a feature request? If not, will you allow me to change it?
Jack Bakker
RE: PACL and executing java...
April 24, 2013 9:46 AM
Answer

Jack Bakker

Rank: Liferay Master

Posts: 615

Join Date: January 3, 2010

Recent Posts

OSGi might also have Vaadin oppottunities to solve Liferay theme vs Vaadin theme

Feature requests come in, prioritization often elusive...

who am I ... just a guy
David H Nebinger
RE: PACL and executing java...
April 24, 2013 10:15 AM
Answer

David H Nebinger

Rank: Liferay Legend

Posts: 7157

Join Date: September 1, 2006

Recent Posts

Ray Augé:
Also, a useful, but missing, expansion is not a "bug".

Can you change it to a feature request? If not, will you allow me to change it?


You're call, but IMHO it really is a matter of perspective...

From your side, sure I see it as an enhancement and not really a bug.

From my side, lack of support will keep my plugin out of the marketplace, so it is more of a bug than an enhancement.

Truly I understand the bulk of the work you guys are doing on PACL, and I understand the reasoning behind it (Apple and especially Android support the same sort of security features so a user can choose not to install an app once they see how much access it wants to get). And I don't expect that you'll ever get PACL to the point that it deals with every possible permission that folks on the net would want to use.

I just wonder if this, like perhaps some others, may be use cases that exist outside Liferay and how these use cases get addressed...
David H Nebinger
RE: PACL and executing java...
April 24, 2013 10:11 AM
Answer

David H Nebinger

Rank: Liferay Legend

Posts: 7157

Join Date: September 1, 2006

Recent Posts

Ray Augé:
Hey Dave! Why not simply call the Java compiler API rather than call the java process?

OTOH, adding ${java.home} to the list of expansions is not a bad idea.


In the bug I mention I need it because I'm doing a "vaadin widgetset compile". Even though it's called a "compile", it is not a java compiler invocation...
David H Nebinger
RE: PACL and executing java...
April 24, 2013 10:18 AM
Answer

David H Nebinger

Rank: Liferay Legend

Posts: 7157

Join Date: September 1, 2006

Recent Posts

Ray Augé:
Adding ${java.home} to the list of expansions is not a bad idea.



A worthwhile expansion, yes, but it won't cover the general case I mentioned in the bug, i.e. the plugin needs to invoke some system application (I mentioned diff as an example), but from a plugin perspective you have no idea where it would be on the system, so how do you indicate you need an app that is on the system (maybe a default system tool, maybe listed as a requirement for the app in the marketplace, whatever) and you're going to use it but don't know where it actually resides?
Ray Augé
RE: PACL and executing java...
April 24, 2013 10:23 AM
Answer

Ray Augé

LIFERAY STAFF

Rank: Liferay Legend

Posts: 1171

Join Date: February 7, 2005

Recent Posts

Why can't you expect it to be in the PATH?

This is an environment variable design for exactly that purpose.

But really, this is going beyond a problem with Liferay. You're making some assumptions on the host system anyway. What if there IS no "diff" installed (windows)! How will your plugin deal with that?
Ray Augé
RE: PACL and executing java...
April 24, 2013 10:32 AM
Answer

Ray Augé

LIFERAY STAFF

Rank: Liferay Legend

Posts: 1171

Join Date: February 7, 2005

Recent Posts

One thing I could probably change is that rather than using the present list of expansions, we could simply delegate replacement to matching any system property key (as pure java security does).

Would that address your issue?
David H Nebinger
RE: PACL and executing java...
April 24, 2013 10:40 AM
Answer

David H Nebinger

Rank: Liferay Legend

Posts: 7157

Join Date: September 1, 2006

Recent Posts

Ray Augé:
One thing I could probably change is that rather than using the present list of expansions, we could simply delegate replacement to matching any system property key (as pure java security does).

Would that address your issue?


I think so...

Another option might be to use portal-ext.properties... Define a property for allowed applications, possibly some sort of "short-name=full-path" mapping. That way the plugin could say "security-manager-files-execute=java", and PACL sees that there is a "java=c:/path/to/allowed/java" mapping and allows the plugin to run it.

That may actually be a good idea. I as the administrator could define a specific version of java that plugins deployed in the portal would use and the path that goes along with it. If I as the admin choose not to add a "java=full-path" thing, then PACL knows I don't want a plugin to invoke java. Likewise I as the admin could indicate where diff is, etc.
Ray Augé
RE: PACL and executing java...
April 24, 2013 10:44 AM
Answer

Ray Augé

LIFERAY STAFF

Rank: Liferay Legend

Posts: 1171

Join Date: February 7, 2005

Recent Posts

But that's adding a whole new level of complexity.

Why not just have a similar expectation you stated eariler and just expect that there is a JAVA_HOME environment variable set! State that in your description and then if the system variables are available as expansions, you would have:

security-manager-files-execute=\
${env.JAVA_HOME}${/}bin${/}java,\
${env.JAVA_HOME}${/}bin${/}java.exe

Isn't that much simpler?
Ray Augé
RE: PACL and executing java...
April 24, 2013 10:47 AM
Answer

Ray Augé

LIFERAY STAFF

Rank: Liferay Legend

Posts: 1171

Join Date: February 7, 2005

Recent Posts

If it happens to be some diff impl, just have the requirement:

"Set the environment variable DIFF_EXECUTABLE to the value of a POSIX diff impl."

security-manager-files-execute=\
${env.DIFF_EXECUTABLE}
David H Nebinger
RE: PACL and executing java...
April 24, 2013 10:50 AM
Answer

David H Nebinger

Rank: Liferay Legend

Posts: 7157

Join Date: September 1, 2006

Recent Posts

Yep, I know the complexities just keep multiplying emoticon

If supported, then ${env.JAVA_HOME}/bin/java example would certainly handle my current needs.

And the ${env.DIFF_EXECUTABLE} would also address "diff", so I'd be covered...

Wonderful! When can I expect it to be implemented? emoticon Just kidding, I know you guys have other priorities...
Jack Bakker
RE: PACL and executing java...
April 24, 2013 3:42 PM
Answer

Jack Bakker

Rank: Liferay Master

Posts: 615

Join Date: January 3, 2010

Recent Posts

Awesome how many canadian teams in the playoffs. I say go leafs, but might have to wonder why the Habs are so winning this year. No complexity there.
Ray Augé
RE: PACL and executing java...
April 25, 2013 9:04 AM
Answer

Ray Augé

LIFERAY STAFF

Rank: Liferay Legend

Posts: 1171

Join Date: February 7, 2005

Recent Posts

Jack, I'm hoping that the Jets make it so that we have all 4 Eastern teams in the playoffs.. not sure how long it's been since that happened. emoticon
Jack Bakker
RE: PACL and executing java...
April 25, 2013 9:40 AM
Answer

Jack Bakker

Rank: Liferay Master

Posts: 615

Join Date: January 3, 2010

Recent Posts

http://www.nhl.com/ice/standings.htm?season=20122013&type=PLA

Jets are so close... notice how David is staying quiet on this front despite his likely winning team... but then he is pretty good at staying on topic. And on that note...
David H Nebinger
RE: PACL and executing java...
April 24, 2013 10:34 AM
Answer

David H Nebinger

Rank: Liferay Legend

Posts: 7157

Join Date: September 1, 2006

Recent Posts

Ray Augé:
Why can't you expect it to be in the PATH?

This is an environment variable design for exactly that purpose.

But really, this is going beyond a problem with Liferay. You're making some assumptions on the host system anyway. What if there IS no "diff" installed (windows)! How will your plugin deal with that?


I would expect the tool to be on the PATH. I guess I don't know how to write up the liferay-plugin-package.properties file w/ the security-manager-xxx values to indicate that I'm going to read/exec "diff" for example; right now it looks like I'd have to know the actual path to where the tool would be on someone else's system and specify a full path for the security-manager properties...

Then there's the whole "diff" vs "diff.exe" thing (where windows would run from the command line "diff", but actually executes "diff.exe" or "diff.bat" or even "diff.cmd"), where I have no real idea what platform someone might be running Liferay on (wasn't zOS supported at one point emoticon)...

As far as diff not being available, if I were putting such a plugin in the marketplace I'd include, in the description, that the tool needs to have some version of diff installed; if the end user doesn't have diff and installs my plugin and it results in "portlet is not available", well who is really to blame?

I'm certainly not trying to make things hard. I'm just looking to specify in security-manager properties that I'm going to invoke some command, whether "java" or "diff" or "xxx" and that PACL would know that I'm trying to run an app that must be in the PATH and may or may not have some system-dependent extension, and that all of these possibilities are okay because the plugin indicates it needs that access, and the admin can determine whether or not they will install the plugin.