Vista combinada Visión Plana Vista de árbol
toggle
Brian Kim
PACL/Security Manager - help coming
24 de junio de 2014 11:09
Respuesta

Brian Kim

LIFERAY STAFF

Ranking: Expert

Mensajes: 319

Fecha de incorporación: 16 de agosto de 2004

Mensajes recientes

Hi all,

We realize that working with PACL/Security Manager takes some time and experience to build into your apps, so we're going to put together a team to help in answering some of the questions and issues that all of you may be having. We hope to have this ready soon - I'll provide updates as I get them.

Thanks everyone for your comments and feedback.
Maarten J
RE: PACL/Security Manager - help coming
6 de noviembre de 2012 4:29
Respuesta

Maarten J

Ranking: New Member

Mensajes: 15

Fecha de incorporación: 25 de enero de 2012

Mensajes recientes

Hi Brian,

We are really looking forward to help from this team. We have several portlets ready which we would love to publish!

Thanks,
Maarten
James Falkner
RE: PACL/Security Manager - help coming
6 de noviembre de 2012 8:35
Respuesta

James Falkner

LIFERAY STAFF

Ranking: Liferay Legend

Mensajes: 1222

Fecha de incorporación: 17 de septiembre de 2010

Mensajes recientes

Maarten J:
Hi Brian,

We are really looking forward to help from this team. We have several portlets ready which we would love to publish!

Thanks,
Maarten


Hi all,

As Brian mentions, we have put a team together to help Marketplace Developers work through the PACL issues you are facing. Some issues are configuration issues, others are due to PACL bugs. The triage team can help you figure out whether you simply have missing config, or have found a bug in PACL. I'm going to be on this team, as your community liaison (also known as Chief Pestering Officer) emoticon We'll go about it like this:

  1. Develop your app following the official developer documentation (and Security Manager disabled)
  2. After you're satisfied that your app works with the Security Manager disabled, turn it on
  3. Go through the test->edit->repeat cycle to make a best effort at identifying and including all of the PACL resource declarations necessary for your app, using the official Security Manager docs.
  4. If you believe you've done everything right, and you're still having issues related to PACL that you cannot solve, post your issue in this forum category (the one where this message is). Our triage team will engage with you and see attempt to determine if there really is a bug, or just missing configuration. You could also post an issue at issues.liferay.com but the triage team will be watching here and it is my hope that most issues are configuration issues and not really bugs in Liferay.


As mentioned, we have seen that most PACL issues fall into two main categories:

1. Missing PACL configuration. PACL is very granular, and requires that you declare all of the protected resources that your app might ever require during its execution. The documentation suggests you first develop your app with PACL disabled, then when you're all done, enable it, and exercise your app to discover which protected resources it requires. This is pretty tedious as of now, requiring multiple test->edit config->repeat cycles (and developers are investigating how to improve the developer experience going forward).

2. PACL Bugs. There are few already. Working with the triage team via this forum is the best way to discover whether you are hitting a bug. If you indeed discover a bug, the triage team will help you to file the issue at issues.liferay.com and get it fixed as quickly as possible.

So please give it a go, and post issues here, and we'll hopefully be able to resolve them as quickly as possible.
Aniceto P Madrid
RE: PACL/Security Manager - help coming
5 de diciembre de 2012 1:50
Respuesta

Aniceto P Madrid

Ranking: Regular Member

Mensajes: 135

Fecha de incorporación: 24 de mayo de 2008

Mensajes recientes

When those PACL be fixed, which requires a new Liferay relase, I'll be back to the Marketplace. It has no sense to fight with a poorly documented security environment that doesn't event work.
Laxman Rana
RE: PACL/Security Manager - help coming
31 de diciembre de 2012 2:05
Respuesta

Laxman Rana

Ranking: Junior Member

Mensajes: 42

Fecha de incorporación: 29 de febrero de 2012

Mensajes recientes

Can you help me out to solve this problem ?

Thank You !!!
Hitoshi Ozawa
RE: PACL/Security Manager - help coming
7 de enero de 2013 4:30
Respuesta

Hitoshi Ozawa

Ranking: Liferay Legend

Mensajes: 7954

Fecha de incorporación: 23 de marzo de 2010

Mensajes recientes

Speaking on behave of the community, I have to say it is very disappointing to see that there haven't been any update to this thread from liferay.com since last November.

http://www.liferay.com/community/forums/-/message_boards/message/18999112
Ray Augé
RE: PACL/Security Manager - help coming
7 de enero de 2013 5:24
Respuesta

Ray Augé

LIFERAY STAFF

Ranking: Liferay Legend

Mensajes: 1171

Fecha de incorporación: 7 de febrero de 2005

Mensajes recientes

Yes, it's quite sad. emoticon

Honestly, It was a terrible mistake on my part how PACL unfolded. I regret a great many things about it, mostly how it has adversly affected our community of developers.

With that I offer my sincere appologies and I will try to work from this point to attempt to resolve the issues.

1) I think what I will do is first to document and otherwise simply help people to fix or be aware of how certain things work. I hope that will be a first good step.
2) I have it in mind to create a plugin (I'm just now starting for forumate ideas on how to do this) which will run along with the developer environment which will do it's best to generate a valid security settings profile for the deployed plugins, based on execution of the plugin. a) it will replace the security checkers/manager (not sure yet) with one which tracks rather than checks. b) as the developer uses their plugin, the security profile will be automatically created.
Ray Augé
RE: PACL/Security Manager - help coming
9 de enero de 2013 13:40
Respuesta

Ray Augé

LIFERAY STAFF

Ranking: Liferay Legend

Mensajes: 1171

Fecha de incorporación: 7 de febrero de 2005

Mensajes recientes

Hey All,

I wanted to let everyone know that help is really coming in the form of a tool baked into the portal.

I'm dubing it temporarily Liferay's PACL Policy Generator (a.k.a. PPG)

You can watch it's progress via this JIRA issue: http://issues.liferay.com/browse/LPS-32200

Also, you can take a quick look at the workflow outlined in that ticket but also here: https://gist.github.com/4494206

You'll see the result of testing this against the sample-service-builder-portlet and generated in less than a 2 minutes running a QA cycle through that app. A complete and functional policy was the result which was litteraly copy and pasted (as it's already nicely formatted with key and value sorting).

We're hoping that this will quickly be available to everyone in the next GA(3) release(s) (which you will note that James officially announced quietly hints at here: http://www.liferay.com/community/forums/-/message_boards/view_message/17329080#_19_message_19073288).

I'm hoping that this significantly simplifies the process of getting your plugins into the marketplace (at least making the PACL step much simpler).

Of course, feedback is always welcome!
Sampsa Sohlman
RE: PACL/Security Manager - help coming
10 de enero de 2013 1:53
Respuesta

Sampsa Sohlman

LIFERAY STAFF

Ranking: Regular Member

Mensajes: 218

Fecha de incorporación: 27 de septiembre de 2007

Mensajes recientes

Great job Ray, it will be excelent tool for all Marketplace developers.
Juan Gonzalez
RE: PACL/Security Manager - help coming
11 de enero de 2013 3:26
Respuesta

Juan Gonzalez

LIFERAY STAFF

Ranking: Liferay Legend

Mensajes: 1984

Fecha de incorporación: 28 de octubre de 2008

Mensajes recientes

Thanks very much Ray.

This was the only missing piece!
Hitoshi Ozawa
RE: PACL/Security Manager - help coming
11 de enero de 2013 3:52
Respuesta

Hitoshi Ozawa

Ranking: Liferay Legend

Mensajes: 7954

Fecha de incorporación: 23 de marzo de 2010

Mensajes recientes

Thank you very much Ray! Really appreciate you taking the extra step to get it out so quickly. emoticon
Luis Álvarez
RE: PACL/Security Manager - help coming
16 de enero de 2013 9:19
Respuesta

Luis Álvarez

Ranking: New Member

Mensajes: 8

Fecha de incorporación: 19 de septiembre de 2011

Mensajes recientes

¿Is this the famous PACL problem?

Caused by: org.springframework.beans.factory.BeanDefinitionStoreException: Failed to read candidate component class: file [C:\B2B\Arquitectura\ComponentesMarket
Place\ImageViewer\LiferayWorkspace\bundle\tomcat-7.0.27\temp\3-2012-01-14-CommunityRelease-6.1.20.1\WEB-INF\classes\com\b2b2000\imageviewer\web\controller\EditC
ontroller.class]; nested exception is java.lang.SecurityException: Attempted to access declared members
at org.springframework.context.annotation.ClassPathScanningCandidateComponentProvider.findCandidateComponents(ClassPathScanningCandidateComponentProvide
r.java:237)
at org.springframework.context.annotation.ClassPathBeanDefinitionScanner.doScan(ClassPathBeanDefinitionScanner.java:204)
at org.springframework.context.annotation.ComponentScanBeanDefinitionParser.parse(ComponentScanBeanDefinitionParser.java:84)
at org.springframework.beans.factory.xml.NamespaceHandlerSupport.parse(NamespaceHandlerSupport.java:73)
at org.springframework.beans.factory.xml.BeanDefinitionParserDelegate.parseCustomElement(BeanDefinitionParserDelegate.java:1338)
at org.springframework.beans.factory.xml.BeanDefinitionParserDelegate.parseCustomElement(BeanDefinitionParserDelegate.java:1328)
at org.springframework.beans.factory.xml.DefaultBeanDefinitionDocumentReader.parseBeanDefinitions(DefaultBeanDefinitionDocumentReader.java:135)
at org.springframework.beans.factory.xml.DefaultBeanDefinitionDocumentReader.registerBeanDefinitions(DefaultBeanDefinitionDocumentReader.java:93)
at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.registerBeanDefinitions(XmlBeanDefinitionReader.java:493)
at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(XmlBeanDefinitionReader.java:390)
at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:334)
at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:302)
at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:143)
at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:178)
at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:149)
at org.springframework.web.portlet.context.XmlPortletApplicationContext.loadBeanDefinitions(XmlPortletApplicationContext.java:124)
at org.springframework.web.portlet.context.XmlPortletApplicationContext.loadBeanDefinitions(XmlPortletApplicationContext.java:92)
at org.springframework.context.support.AbstractRefreshableApplicationContext.refreshBeanFactory(AbstractRefreshableApplicationContext.java:130)
at org.springframework.context.support.AbstractApplicationContext.obtainFreshBeanFactory(AbstractApplicationContext.java:467)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:397)
at org.springframework.web.portlet.FrameworkPortlet.createPortletApplicationContext(FrameworkPortlet.java:356)
at org.springframework.web.portlet.FrameworkPortlet.initPortletApplicationContext(FrameworkPortlet.java:294)
at org.springframework.web.portlet.FrameworkPortlet.initPortletBean(FrameworkPortlet.java:268)
at org.springframework.web.portlet.GenericPortletBean.init(GenericPortletBean.java:116)
at javax.portlet.GenericPortlet.init(GenericPortlet.java:107)
at com.liferay.portlet.InvokerPortletImpl.init(InvokerPortletImpl.java:256)
at com.liferay.portlet.PortletInstanceFactoryImpl.init(PortletInstanceFactoryImpl.java:221)
at com.liferay.portlet.PortletInstanceFactoryImpl.create(PortletInstanceFactoryImpl.java:140)
at com.liferay.portlet.PortletInstanceFactoryUtil.create(PortletInstanceFactoryUtil.java:41)
at com.liferay.portal.deploy.hot.PortletHotDeployListener.initPortletApp(PortletHotDeployListener.java:598)
at com.liferay.portal.deploy.hot.PortletHotDeployListener.doInvokeDeploy(PortletHotDeployListener.java:328)
at com.liferay.portal.deploy.hot.PortletHotDeployListener.invokeDeploy(PortletHotDeployListener.java:120)
... 25 more
Caused by: java.lang.SecurityException: Attempted to access declared members
at com.liferay.portal.security.pacl.checker.BaseChecker.throwSecurityException(BaseChecker.java:259)
at com.liferay.portal.security.pacl.checker.RuntimeChecker.checkPermission(RuntimeChecker.java:71)
at com.liferay.portal.security.pacl.ActivePACLPolicy.checkPermission(ActivePACLPolicy.java:55)
at com.liferay.portal.security.lang.PortalSecurityManager.checkPermission(PortalSecurityManager.java:103)
at com.liferay.portal.security.lang.PortalSecurityManager.checkPermission(PortalSecurityManager.java:74)
at java.lang.SecurityManager.checkMemberAccess(SecurityManager.java:1662)
at java.lang.Class.checkMemberAccess(Class.java:2157)
at java.lang.Class.getDeclaredMethods(Class.java:1790)
at sun.reflect.annotation.AnnotationType$1.run(AnnotationType.java:86)
at sun.reflect.annotation.AnnotationType$1.run(AnnotationType.java:83)
at java.security.AccessController.doPrivileged(Native Method)
at sun.reflect.annotation.AnnotationType.<init>(AnnotationType.java:82)
at sun.reflect.annotation.AnnotationType.getInstance(AnnotationType.java:66)
at sun.reflect.annotation.AnnotationParser.parseAnnotation(AnnotationParser.java:202)
at sun.reflect.annotation.AnnotationParser.parseAnnotations2(AnnotationParser.java:69)
at sun.reflect.annotation.AnnotationParser.parseAnnotations(AnnotationParser.java:52)
at java.lang.Class.initAnnotationsIfNecessary(Class.java:3070)
at java.lang.Class.getAnnotations(Class.java:3050)
at org.springframework.core.type.classreading.AnnotationAttributesReadingVisitor.visitEnd(AnnotationAttributesReadingVisitor.java:131)
at org.springframework.asm.ClassReader.a(Unknown Source)
at org.springframework.asm.ClassReader.accept(Unknown Source)
at org.springframework.asm.ClassReader.accept(Unknown Source)
at org.springframework.core.type.classreading.SimpleMetadataReader.<init>(SimpleMetadataReader.java:54)
at org.springframework.core.type.classreading.SimpleMetadataReaderFactory.getMetadataReader(SimpleMetadataReaderFactory.java:80)
at org.springframework.core.type.classreading.CachingMetadataReaderFactory.getMetadataReader(CachingMetadataReaderFactory.java:101)
at org.springframework.context.annotation.ClassPathScanningCandidateComponentProvider.findCandidateComponents(ClassPathScanningCandidateComponentProvide
r.java:213)
... 56 more
Ray Augé
RE: PACL/Security Manager - help coming
16 de enero de 2013 9:36
Respuesta

Ray Augé

LIFERAY STAFF

Ranking: Liferay Legend

Mensajes: 1171

Fecha de incorporación: 7 de febrero de 2005

Mensajes recientes

Yup, that's the one we're working on.

Reflection is pretty broken. emoticon

We have 3 engineers working on various aspects of the issue as we speak and we're not going to let GA3 come out without fixing this.
Luis Álvarez
RE: PACL/Security Manager - help coming
16 de enero de 2013 23:40
Respuesta

Luis Álvarez

Ranking: New Member

Mensajes: 8

Fecha de incorporación: 19 de septiembre de 2011

Mensajes recientes

Probably we'll wait to be solved.
Not sure we can find a workaround.

Thanks Ray
immo biton
RE: PACL/Security Manager - help coming
20 de febrero de 2014 8:57
Respuesta

immo biton

Ranking: New Member

Mensajes: 1

Fecha de incorporación: 20 de febrero de 2014

Mensajes recientes

Thank you very much Ray! Really appreciate you taking the extra step to get it out so quickly. emoticon