Kombinierte Ansicht Flache Ansicht Baumansicht
toggle
François Prot
PACL : missing configuration options ?
25. Januar 2013 08:53
Antwort

François Prot

Rang: New Member

Nachrichten: 1

Eintrittsdatum: 27. August 2008

Neue Beiträge

Hello !

We have developed a Web Proxy portlet that is working fine on Liferay (already available on Github) and we are looking forward to publish it on Liferay Marketplace.

As indicated in the developer documentation, I enabled the security manager and tried to find the right configuration to deploy and run my portlet. I get the following exception when my portlet is deployed :

 1Caused by: java.lang.SecurityException: Attempted to getProperty.ssl.KeyManagerFactory.algorithm on
 2    at com.liferay.portal.security.pacl.checker.BaseChecker.throwSecurityException(BaseChecker.java:259)
 3    at com.liferay.portal.security.pacl.checker.SecurityChecker.checkPermission(SecurityChecker.java:52)
 4    at com.liferay.portal.security.pacl.ActivePACLPolicy.checkPermission(ActivePACLPolicy.java:55)
 5    at com.liferay.portal.security.lang.PortalSecurityManager.checkPermission(PortalSecurityManager.java:103)
 6    at com.liferay.portal.security.lang.PortalSecurityManager.checkPermission(PortalSecurityManager.java:74)
 7    at java.security.Security.getProperty(Security.java:725)
 8    at javax.net.ssl.KeyManagerFactory$1.run(KeyManagerFactory.java:55)
 9    at java.security.AccessController.doPrivileged(Native Method)
10    at javax.net.ssl.KeyManagerFactory.getDefaultAlgorithm(KeyManagerFactory.java:53)
11    at org.apache.http.conn.ssl.SSLSocketFactory.createSSLContext(SSLSocketFactory.java:223)
12    at org.apache.http.conn.ssl.SSLSocketFactory.<init>(SSLSocketFactory.java:417)
13    at org.apache.http.conn.ssl.SSLSocketFactory.<init>(SSLSocketFactory.java:450)
14    at fr.ippon.wip.http.hc.HttpClientResourceManager.<init>(HttpClientResourceManager.java:101)
15    ... 35 more


From the source code of SecurityChecker it seems there is currently no way to configure the security manager in order to accept this permission (java.security.SecurityPermission/getProperty). I hope that the next release of the portal will provide a configuration option that allows our portlet to run properly...

However, I fear that the current strategy (reject all permission unless there is a configuration option that allows it) will cause many more difficulties after this one is resolved, and I cannot test my portlet further to have a global view of all needed permissions until this problem is fixed. Do you have any plan to allow publication of "untrusted" applications on the market-place ?

Regards
James Falkner
RE: PACL : missing configuration options ?
28. Januar 2013 11:38
Antwort

James Falkner

LIFERAY STAFF

Rang: Liferay Legend

Nachrichten: 1216

Eintrittsdatum: 17. September 2010

Neue Beiträge

François Prot:
Hello !

We have developed a Web Proxy portlet that is working fine on Liferay (already available on Github) and we are looking forward to publish it on Liferay Marketplace.

As indicated in the developer documentation, I enabled the security manager and tried to find the right configuration to deploy and run my portlet. I get the following exception when my portlet is deployed :

1Caused by: java.lang.SecurityException: Attempted to getProperty.ssl.KeyManagerFactory.algorithm on
2    at com.liferay.portal.security.pacl.checker.BaseChecker.throwSecurityException(BaseChecker.java:259)
3    ... 35 more


From the source code of SecurityChecker it seems there is currently no way to configure the security manager in order to accept this permission (java.security.SecurityPermission/getProperty). I hope that the next release of the portal will provide a configuration option that allows our portlet to run properly...

However, I fear that the current strategy (reject all permission unless there is a configuration option that allows it) will cause many more difficulties after this one is resolved, and I cannot test my portlet further to have a global view of all needed permissions until this problem is fixed. Do you have any plan to allow publication of "untrusted" applications on the market-place ?

Regards


This is probably related to, if not a duplicate of, LPS-30766, which should be fixed in the upcoming GA3 Release. See this thread regarding "untrusted" apps.