Vue combinée Vue Plate Arborescence
toggle
Philippe Tran
generate security-manager-enabled options
2 avril 2013 07:28
Réponse

Philippe Tran

Rang: Junior Member

Publications: 34

Date d'inscription: 22 janvier 2009

Publications Récentes

Hi everyone,

As Ray mentionned, the last LR master let you try the security manager option:
security-manager-enabled=generate

I am working on a Spring-based portlet app, embedding also logback. Using this option, I was able to debug some of PACL settings. But I still get a lot of those messages:

WARN [localhost-startStop-1][RuntimeChecker:101] Attempted to create a class loader
WARN [localhost-startStop-1][RuntimeChecker:101] Attempted to access declared members
WARN [localhost-startStop-1][RuntimeChecker:101] Attempted to get protection domain
WARN [localhost-startStop-1][ReflectChecker:101] Attempted to reflect


The warnings appear at the init phase of logback :

INFO in ch.qos.logback.classic.LoggerContext - Found resource [logback.xml] at [file:.../webapps//WEB-INF/classes/logback.xml]
WARN [localhost-startStop-1][RuntimeChecker:101] Attempted to create a class loader
(warnings here...)
INFO in ch.qos.logback.core.joran.action.AppenderAction - About to instantiate appender of type [ch.qos.logback.core.ConsoleAppender]


Then, when hot deploying the portlets, I get :

INFO: Initializing Spring root WebApplicationContext
INFO Root WebApplicationContext: initialization started
INFO [XmlWebApplicationContext] Refreshing Root WebApplicationContext: startup date [...]; root of context hierarchy
WARN [localhost-startStop-1][RuntimeChecker:101] Attempted to access declared members
WARN [localhost-startStop-1][ReflectChecker:101] Attempted to reflect
WARN [localhost-startStop-1][RuntimeChecker:101] Attempted to get protection domain
WARN [localhost-startStop-1][RuntimeChecker:101] Attempted to get class loader
...
ERROR Context initialization failed
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'xxxDAOFactory': Injection of autowired dependencies failed; nested exception is org.springframework.beans.factory.BeanCreationException: Could not autowire field: private YyyDAO XxxDAOFactory.yyyDAO; nested exception is java.security.AccessControlException: access denied (java.lang.reflect.ReflectPermission suppressAccessChecks) at
org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor.postProcessPropertyValues(AutowiredAnnotationBeanPostProcessor.java:287)
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1073)
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:516)
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:455)
org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:293)
org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222)
org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:290)
org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:192)
org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:585)
org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:895)
org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:425)
org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:282)
org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:204)
org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:47)
com.liferay.portal.kernel.servlet.SecurePluginContextListener.instantiatingListener(SecurePluginContextListener.java:333)
com.liferay.portal.kernel.servlet.SecurePluginContextListener.instantiatingListeners(SecurePluginContextListener.java:157)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
java.lang.reflect.Method.invoke(Method.java:597)
com.liferay.portal.deploy.hot.ServletContextListenerHotDeployListener.doInvokeDeploy(ServletContextListenerHotDeployListener.java:71)
com.liferay.portal.deploy.hot.ServletContextListenerHotDeployListener.invokeDeploy(ServletContextListenerHotDeployListener.java:36)
com.liferay.portal.deploy.hot.HotDeployImpl.doFireDeployEvent(HotDeployImpl.java:186)
com.liferay.portal.deploy.hot.HotDeployImpl.fireDeployEvent(HotDeployImpl.java:95)
...

Caused by: org.springframework.beans.factory.BeanCreationException: Could not autowire field: private YyyDAO XxxDAOFactory.yyyDAO; nested exception is java.security.AccessControlException: access denied (java.lang.reflect.ReflectPermission suppressAccessChecks) at
org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredFieldElement.inject(AutowiredAnnotationBeanPostProcessor.java:506)
org.springframework.beans.factory.annotation.InjectionMetadata.inject(InjectionMetadata.java:84)
org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor.postProcessPropertyValues(AutowiredAnnotationBeanPostProcessor.java:284)
...

Caused by: java.security.AccessControlException: access denied (java.lang.reflect.ReflectPermission suppressAccessChecks) at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
java.security.AccessController.checkPermission(AccessController.java:549)
com.liferay.portal.security.pacl.PortalSecurityManagerImpl.checkPermission(PortalSecurityManagerImpl.java:287)
java.lang.reflect.AccessibleObject.setAccessible(AccessibleObject.java:107)
org.springframework.util.ReflectionUtils.makeAccessible(ReflectionUtils.java:386)
org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredFieldElement.inject(AutowiredAnnotationBeanPostProcessor.java:501)
...

ERROR [localhost-startStop-1][HotDeployImpl:189] com.liferay.portal.kernel.deploy.hot.HotDeployException: Error registering servlet context listeners for
com.liferay.portal.kernel.deploy.hot.HotDeployException: Error registering servlet context listeners for at
com.liferay.portal.kernel.deploy.hot.BaseHotDeployListener.throwHotDeployException(BaseHotDeployListener.java:46)
com.liferay.portal.deploy.hot.ServletContextListenerHotDeployListener.invokeDeploy(ServletContextListenerHotDeployListener.java:39)
com.liferay.portal.deploy.hot.HotDeployImpl.doFireDeployEvent(HotDeployImpl.java:186)
com.liferay.portal.deploy.hot.HotDeployImpl.fireDeployEvent(HotDeployImpl.java:95)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
java.lang.reflect.Method.invoke(Method.java:597)
...

Caused by: java.lang.reflect.InvocationTargetException at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
java.lang.reflect.Method.invoke(Method.java:597)
com.liferay.portal.deploy.hot.ServletContextListenerHotDeployListener.doInvokeDeploy(ServletContextListenerHotDeployListener.java:71)
...
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'xxxDAOFactory': Injection of autowired dependencies failed; nested exception is org.springframework.beans.factory.BeanCreationException: Could not autowire field: private YyyDAO XxxDAOFactory.yyyDAO; nested exception is java.security.AccessControlException: access denied (java.lang.reflect.ReflectPermission suppressAccessChecks) at
org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor.postProcessPropertyValues(AutowiredAnnotationBeanPostProcessor.java:287)
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1073)
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:516)
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:455)
org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:293)
org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222)
...
Caused by: org.springframework.beans.factory.BeanCreationException: Could not autowire field: private YyyDAO XxxDAOFactory.yyyDAO; nested exception is java.security.AccessControlException: access denied (java.lang.reflect.ReflectPermission suppressAccessChecks) at
org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredFieldElement.inject(AutowiredAnnotationBeanPostProcessor.java:506)
org.springframework.beans.factory.annotation.InjectionMetadata.inject(InjectionMetadata.java:84)
org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor.postProcessPropertyValues(AutowiredAnnotationBeanPostProcessor.java:284)
...
Caused by: java.security.AccessControlException: access denied (java.lang.reflect.ReflectPermission suppressAccessChecks) at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
java.security.AccessController.checkPermission(AccessController.java:549)
com.liferay.portal.security.pacl.PortalSecurityManagerImpl.checkPermission(PortalSecurityManagerImpl.java:287)
...


Do anyone know about a method to intercept all security exceptions, and how to deal with ? I guess that most of my problems come from objects that are not listed in security-manager-get-bean-property and security-manager-set-bean-property.

Thanks in advance,
Philippe
Ray Augé
RE: generate security-manager-enabled options
2 avril 2013 07:34
Réponse

Ray Augé

LIFERAY STAFF

Rang: Liferay Legend

Publications: 1171

Date d'inscription: 7 février 2005

Publications Récentes

Philippe can you create a base test case plugin which causes the issue and I will test it (and attach it to this thread?).

A couple of notes:
First
 1Caused by: org.springframework.beans.factory.BeanCreationException: Could not autowire field: private YyyDAO XxxDAOFactory.yyyDAO; nested exception is java.security.AccessControlException: access denied (java.lang.reflect.ReflectPermission suppressAccessChecks) at
 2org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredFieldElement.inject(AutowiredAnnotationBeanPostProcessor.java:506)
 3org.springframework.beans.factory.annotation.InjectionMetadata.inject(InjectionMetadata.java:84)
 4org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor.postProcessPropertyValues(AutowiredAnnotationBeanPostProcessor.java:284)
 5...
 6Caused by: java.security.AccessControlException: access denied (java.lang.reflect.ReflectPermission suppressAccessChecks) at
 7java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
 8java.security.AccessController.checkPermission(AccessController.java:549)
 9com.liferay.portal.security.pacl.PortalSecurityManagerImpl.checkPermission(PortalSecurityManagerImpl.java:287)
10...


This should technically only happen if the target class of the accessibility change comes from a classloader foreign of your plugin (i.e. which could be a malicious attempt to change the accessibility of Members in outside classes. However, perhaps autowire is sufficiently confusing to cause the failure when the class is not actually foreign, and I think I have an idea why that might be. A base code from you would help me quickly solve that problem.

Second Unless they actually cause problems for your application, these warnings:
1WARN [localhost-startStop-1][RuntimeChecker:101] Attempted to access declared members
2WARN [localhost-startStop-1][ReflectChecker:101] Attempted to reflect
3WARN [localhost-startStop-1][RuntimeChecker:101] Attempted to get protection domain
4WARN [localhost-startStop-1][RuntimeChecker:101] Attempted to get class loader

should be harmless and allow you to continue.
Philippe Tran
RE: generate security-manager-enabled options
2 avril 2013 08:18
Réponse

Philippe Tran

Rang: Junior Member

Publications: 34

Date d'inscription: 22 janvier 2009

Publications Récentes

Thanks Ray,

In what form would you prefer ?

I guess I can provide you with something simple around the logback problem. About the Spring injection, my app is becoming big, so I must think about narrowing the test case around the problem.

Philippe
Ray Augé
RE: generate security-manager-enabled options
2 avril 2013 08:43
Réponse

Ray Augé

LIFERAY STAFF

Rang: Liferay Legend

Publications: 1171

Date d'inscription: 7 février 2005

Publications Récentes

If the logback issue is actually breaking then sure a sample app that shows that alone would be very helpful. (I wasn't clear whether it was just warnings coming up because of it or it was failing completely.)

In case of the spring autowire issue, a minimalistic test case plugin would be great as well. The reason It would be great if it came from outside, namely from you, then I know with certainty that I'm not using some trick without realizing it to make things work. If you send me a plugin which you are sure is causing the same issue, and I test exactly that code, we eliminate discrepancies in the "implementation" which could become suspect.
Philippe Tran
RE: generate security-manager-enabled options
15 juillet 2013 03:40
Réponse

Philippe Tran

Rang: Junior Member

Publications: 34

Date d'inscription: 22 janvier 2009

Publications Récentes

Hi Ray,

I have built a pure Spring portlet, with the environment we use, for testing purpose. It uses ContextLoaderListener and RequestContextFilter (in web.xml).

In logback.xml, logback as well as Spring bean generation is in debug mode. With this sample, some extra logs are done in the servlet container log directory.

Using generate option for security-manager-enabled, you can see those warnings:
- WARN [RuntimeChecker:101] Attempted to get protection domain
- WARN [RuntimeChecker:101] Attempted to get class loader
- WARN [RuntimeChecker:101] Attempted to access declared members

Here are some extra remarks I have found.

1. security-manager-enabled generates security-manager-environment-variables=\*, I guess it means security-manager-environment-variables=\\*.

2. PortletContext.getRealPath("/") returns a copy of the portlet directory in the temp directory, instead of the 'real' portlet directory. We would like to let admins upload some configuration files (such as Spring translation 'messages.properties' files) into the WEB-INF directory, and we use the 'edit_defaults' mode for that, as declared in resource-actions/spring-portlet.xml. It seems that this is not possible anymore. Are Control Panel portlets allowed to upload into the WEB-INF directory, just like admins are allowed to install portlets using the Control Panel ?

Thanks, Ray, for your help.
Philippe
Philippe Tran
RE: generate security-manager-enabled options
9 avril 2013 02:28
Réponse

Philippe Tran

Rang: Junior Member

Publications: 34

Date d'inscription: 22 janvier 2009

Publications Récentes

Hello again Ray,

Ray Augé:
This should technically only happen if the target class of the accessibility change comes from a classloader foreign of your plugin (i.e. which could be a malicious attempt to change the accessibility of Members in outside classes. However, perhaps autowire is sufficiently confusing to cause the failure when the class is not actually foreign, and I think I have an idea why that might be. A base code from you would help me quickly solve that problem.


Your remark about a classloader foreign to my portlet reminds me that I use also cglib.

Should I add a test explicitely using cglib in the sample portlet ?

Philippe
Philippe Tran
RE: generate security-manager-enabled options
9 avril 2013 02:55
Réponse

Philippe Tran

Rang: Junior Member

Publications: 34

Date d'inscription: 22 janvier 2009

Publications Récentes

Sorry Ray,

I forgot to add in WEB-INF/spring/portlet-context.xml, just before <context:component-scan...> :

<bean class="org.springframework.web.portlet.mvc.annotation.DefaultAnnotationHandlerMapping"/>
<bean class="org.springframework.web.portlet.mvc.annotation.AnnotationMethodHandlerAdapter"/>


Philippe
Ray Augé
RE: generate security-manager-enabled options
11 avril 2013 11:25
Réponse

Ray Augé

LIFERAY STAFF

Rang: Liferay Legend

Publications: 1171

Date d'inscription: 7 février 2005

Publications Récentes

Thank you very much Philippe. I'll test these out as soon as I get a chance.

I appreciate the effort.
Philippe Tran
RE: generate security-manager-enabled options
11 avril 2013 13:48
Réponse

Philippe Tran

Rang: Junior Member

Publications: 34

Date d'inscription: 22 janvier 2009

Publications Récentes

You are welcomed. Feel free to ask me about any further information on this sample portlet.

I have created LPS-34370 on the same subject, with the same posted project - without a small bug in the sample posted here. But the idea is the same.

Hope this helps, and thanks Ray for your test,
Philippe
Ray Augé
RE: generate security-manager-enabled options
10 juillet 2013 09:09
Réponse

Ray Augé

LIFERAY STAFF

Rang: Liferay Legend

Publications: 1171

Date d'inscription: 7 février 2005

Publications Récentes

Hey Philippe,

I've been working on this the last couple of days.

First thing, I solved the spring problems I think I have eliminated most cases that were problematic:

#1 tune the default logging emoticon (simple fix)
#2 don't hide unhandled errors while "generate" is enabled (bug)
#3 new property for RuntimePermission "createClassLoader" (sys admins: allow plugins that have this at own risk)
#4 new property for RuntimePermission "getProtectionDomain" (sys admins: allow plugins that have this at own risk)
#5 avoid many cases where the "checkMemberAccess" permission check is against own code

Lastly, logback WOW this one is very bad. I'm not entirely sure why this library does what it does, but it basically wants unrestricted access to the classloader of any class in the stack. I'm not sure what to do about it. I actually filled a bug for it: http://jira.qos.ch/browse/LOGBACK-880

I also got the logback source, and tried to fix it myself. I working on this at the moment, but I'm not confident that I'll solve this in short order. Basically, logback will require one to get the classloader of any class and that effectively means you need to create a WEB-INF/java.policy file which contains:

1grant {
2    permission java.lang.RuntimePermission "getClassLoader";
3}


which I hope everyone can see is a frightfully wide permission to have to grant a plugin.
Ray Augé
RE: generate security-manager-enabled options
10 juillet 2013 09:55
Réponse

Ray Augé

LIFERAY STAFF

Rang: Liferay Legend

Publications: 1171

Date d'inscription: 7 février 2005

Publications Récentes

I believe I managed to solve the logback issue.

I will send a pull request for future versions of logback to work correctly with security enabled.

Lastly, I get a NullPointerException when trying to update the "preferences" and I'm not sure if it's a PACL related issue, or a bug in the sample code. I don't have the java source so I can't tell.

If you could attach a portlet which includes the source code? That would be really great!
Philippe Tran
RE: generate security-manager-enabled options
10 juillet 2013 15:11
Réponse

Philippe Tran

Rang: Junior Member

Publications: 34

Date d'inscription: 22 janvier 2009

Publications Récentes

Hi Ray,

We really thank you for having worked on this.

Ray Augé:
Lastly, logback WOW this one is very bad. I'm not entirely sure why this library does what it does, but it basically wants unrestricted access to the classloader of any class in the stack. I'm not sure what to do about it. I actually filled a bug for it: http://jira.qos.ch/browse/LOGBACK-880


Because of the class-loading issue of logback, we are trying to go back to Log4j.

In fact, we badly need to use a system property in log4j.properties, that is not necessarily set by the user. So we ended using a ServletContextListener as a listener in web.xml. But we just discovered that our listener is not loaded by Liferay 6.1.x with security-manager enabled (LPS-37587) !!!

So we are kind of trapped right now on this issue :-(

About the other problems, namely class-loading, domain protection and reflection, we have kind of succeeded in getting around them, so they are no more that critical.

Philippe
Philippe Tran
RE: generate security-manager-enabled options
15 juillet 2013 03:41
Réponse

Philippe Tran

Rang: Junior Member

Publications: 34

Date d'inscription: 22 janvier 2009

Publications Récentes

Hi again,

Ray Augé:
I get a NullPointerException when trying to update the "preferences" and I'm not sure if it's a PACL related issue, or a bug in the sample code. I don't have the java source so I can't tell.

If you could attach a portlet which includes the source code? That would be really great!


Here is the code, hope this will help you.

Philippe