Combination View Flat View Tree View
toggle
Brian Kim
PACL/Security Manager - help coming
June 24, 2014 11:09 AM
Answer

Brian Kim

LIFERAY STAFF

Rank: Expert

Posts: 319

Join Date: August 16, 2004

Recent Posts

Hi all,

We realize that working with PACL/Security Manager takes some time and experience to build into your apps, so we're going to put together a team to help in answering some of the questions and issues that all of you may be having. We hope to have this ready soon - I'll provide updates as I get them.

Thanks everyone for your comments and feedback.
Maarten J
RE: PACL/Security Manager - help coming
November 6, 2012 4:29 AM
Answer

Maarten J

Rank: New Member

Posts: 15

Join Date: January 25, 2012

Recent Posts

Hi Brian,

We are really looking forward to help from this team. We have several portlets ready which we would love to publish!

Thanks,
Maarten
James Falkner
RE: PACL/Security Manager - help coming
November 6, 2012 8:35 AM
Answer

James Falkner

LIFERAY STAFF

Rank: Liferay Legend

Posts: 1222

Join Date: September 17, 2010

Recent Posts

Maarten J:
Hi Brian,

We are really looking forward to help from this team. We have several portlets ready which we would love to publish!

Thanks,
Maarten


Hi all,

As Brian mentions, we have put a team together to help Marketplace Developers work through the PACL issues you are facing. Some issues are configuration issues, others are due to PACL bugs. The triage team can help you figure out whether you simply have missing config, or have found a bug in PACL. I'm going to be on this team, as your community liaison (also known as Chief Pestering Officer) emoticon We'll go about it like this:

  1. Develop your app following the official developer documentation (and Security Manager disabled)
  2. After you're satisfied that your app works with the Security Manager disabled, turn it on
  3. Go through the test->edit->repeat cycle to make a best effort at identifying and including all of the PACL resource declarations necessary for your app, using the official Security Manager docs.
  4. If you believe you've done everything right, and you're still having issues related to PACL that you cannot solve, post your issue in this forum category (the one where this message is). Our triage team will engage with you and see attempt to determine if there really is a bug, or just missing configuration. You could also post an issue at issues.liferay.com but the triage team will be watching here and it is my hope that most issues are configuration issues and not really bugs in Liferay.


As mentioned, we have seen that most PACL issues fall into two main categories:

1. Missing PACL configuration. PACL is very granular, and requires that you declare all of the protected resources that your app might ever require during its execution. The documentation suggests you first develop your app with PACL disabled, then when you're all done, enable it, and exercise your app to discover which protected resources it requires. This is pretty tedious as of now, requiring multiple test->edit config->repeat cycles (and developers are investigating how to improve the developer experience going forward).

2. PACL Bugs. There are few already. Working with the triage team via this forum is the best way to discover whether you are hitting a bug. If you indeed discover a bug, the triage team will help you to file the issue at issues.liferay.com and get it fixed as quickly as possible.

So please give it a go, and post issues here, and we'll hopefully be able to resolve them as quickly as possible.
Aniceto P Madrid
RE: PACL/Security Manager - help coming
December 5, 2012 1:50 AM
Answer

Aniceto P Madrid

Rank: Regular Member

Posts: 135

Join Date: May 24, 2008

Recent Posts

When those PACL be fixed, which requires a new Liferay relase, I'll be back to the Marketplace. It has no sense to fight with a poorly documented security environment that doesn't event work.
Laxman Rana
RE: PACL/Security Manager - help coming
December 31, 2012 2:05 AM
Answer

Laxman Rana

Rank: Junior Member

Posts: 42

Join Date: February 29, 2012

Recent Posts

Can you help me out to solve this problem ?

Thank You !!!
Hitoshi Ozawa
RE: PACL/Security Manager - help coming
January 7, 2013 4:30 AM
Answer

Hitoshi Ozawa

Rank: Liferay Legend

Posts: 7954

Join Date: March 23, 2010

Recent Posts

Speaking on behave of the community, I have to say it is very disappointing to see that there haven't been any update to this thread from liferay.com since last November.

http://www.liferay.com/community/forums/-/message_boards/message/18999112
Ray Augé
RE: PACL/Security Manager - help coming
January 7, 2013 5:24 AM
Answer

Ray Augé

LIFERAY STAFF

Rank: Liferay Legend

Posts: 1171

Join Date: February 7, 2005

Recent Posts

Yes, it's quite sad. emoticon

Honestly, It was a terrible mistake on my part how PACL unfolded. I regret a great many things about it, mostly how it has adversly affected our community of developers.

With that I offer my sincere appologies and I will try to work from this point to attempt to resolve the issues.

1) I think what I will do is first to document and otherwise simply help people to fix or be aware of how certain things work. I hope that will be a first good step.
2) I have it in mind to create a plugin (I'm just now starting for forumate ideas on how to do this) which will run along with the developer environment which will do it's best to generate a valid security settings profile for the deployed plugins, based on execution of the plugin. a) it will replace the security checkers/manager (not sure yet) with one which tracks rather than checks. b) as the developer uses their plugin, the security profile will be automatically created.
Ray Augé
RE: PACL/Security Manager - help coming
January 9, 2013 1:40 PM
Answer

Ray Augé

LIFERAY STAFF

Rank: Liferay Legend

Posts: 1171

Join Date: February 7, 2005

Recent Posts

Hey All,

I wanted to let everyone know that help is really coming in the form of a tool baked into the portal.

I'm dubing it temporarily Liferay's PACL Policy Generator (a.k.a. PPG)

You can watch it's progress via this JIRA issue: http://issues.liferay.com/browse/LPS-32200

Also, you can take a quick look at the workflow outlined in that ticket but also here: https://gist.github.com/4494206

You'll see the result of testing this against the sample-service-builder-portlet and generated in less than a 2 minutes running a QA cycle through that app. A complete and functional policy was the result which was litteraly copy and pasted (as it's already nicely formatted with key and value sorting).

We're hoping that this will quickly be available to everyone in the next GA(3) release(s) (which you will note that James officially announced quietly hints at here: http://www.liferay.com/community/forums/-/message_boards/view_message/17329080#_19_message_19073288).

I'm hoping that this significantly simplifies the process of getting your plugins into the marketplace (at least making the PACL step much simpler).

Of course, feedback is always welcome!
Sampsa Sohlman
RE: PACL/Security Manager - help coming
January 10, 2013 1:53 AM
Answer

Sampsa Sohlman

LIFERAY STAFF

Rank: Regular Member

Posts: 218

Join Date: September 27, 2007

Recent Posts

Great job Ray, it will be excelent tool for all Marketplace developers.
Juan Gonzalez
RE: PACL/Security Manager - help coming
January 11, 2013 3:26 AM
Answer

Juan Gonzalez

LIFERAY STAFF

Rank: Liferay Legend

Posts: 1980

Join Date: October 28, 2008

Recent Posts

Thanks very much Ray.

This was the only missing piece!
Hitoshi Ozawa
RE: PACL/Security Manager - help coming
January 11, 2013 3:52 AM
Answer

Hitoshi Ozawa

Rank: Liferay Legend

Posts: 7954

Join Date: March 23, 2010

Recent Posts

Thank you very much Ray! Really appreciate you taking the extra step to get it out so quickly. emoticon
Luis Álvarez
RE: PACL/Security Manager - help coming
January 16, 2013 9:19 AM
Answer

Luis Álvarez

Rank: New Member

Posts: 8

Join Date: September 19, 2011

Recent Posts

¿Is this the famous PACL problem?

Caused by: org.springframework.beans.factory.BeanDefinitionStoreException: Failed to read candidate component class: file [C:\B2B\Arquitectura\ComponentesMarket
Place\ImageViewer\LiferayWorkspace\bundle\tomcat-7.0.27\temp\3-2012-01-14-CommunityRelease-6.1.20.1\WEB-INF\classes\com\b2b2000\imageviewer\web\controller\EditC
ontroller.class]; nested exception is java.lang.SecurityException: Attempted to access declared members
at org.springframework.context.annotation.ClassPathScanningCandidateComponentProvider.findCandidateComponents(ClassPathScanningCandidateComponentProvide
r.java:237)
at org.springframework.context.annotation.ClassPathBeanDefinitionScanner.doScan(ClassPathBeanDefinitionScanner.java:204)
at org.springframework.context.annotation.ComponentScanBeanDefinitionParser.parse(ComponentScanBeanDefinitionParser.java:84)
at org.springframework.beans.factory.xml.NamespaceHandlerSupport.parse(NamespaceHandlerSupport.java:73)
at org.springframework.beans.factory.xml.BeanDefinitionParserDelegate.parseCustomElement(BeanDefinitionParserDelegate.java:1338)
at org.springframework.beans.factory.xml.BeanDefinitionParserDelegate.parseCustomElement(BeanDefinitionParserDelegate.java:1328)
at org.springframework.beans.factory.xml.DefaultBeanDefinitionDocumentReader.parseBeanDefinitions(DefaultBeanDefinitionDocumentReader.java:135)
at org.springframework.beans.factory.xml.DefaultBeanDefinitionDocumentReader.registerBeanDefinitions(DefaultBeanDefinitionDocumentReader.java:93)
at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.registerBeanDefinitions(XmlBeanDefinitionReader.java:493)
at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(XmlBeanDefinitionReader.java:390)
at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:334)
at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:302)
at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:143)
at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:178)
at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:149)
at org.springframework.web.portlet.context.XmlPortletApplicationContext.loadBeanDefinitions(XmlPortletApplicationContext.java:124)
at org.springframework.web.portlet.context.XmlPortletApplicationContext.loadBeanDefinitions(XmlPortletApplicationContext.java:92)
at org.springframework.context.support.AbstractRefreshableApplicationContext.refreshBeanFactory(AbstractRefreshableApplicationContext.java:130)
at org.springframework.context.support.AbstractApplicationContext.obtainFreshBeanFactory(AbstractApplicationContext.java:467)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:397)
at org.springframework.web.portlet.FrameworkPortlet.createPortletApplicationContext(FrameworkPortlet.java:356)
at org.springframework.web.portlet.FrameworkPortlet.initPortletApplicationContext(FrameworkPortlet.java:294)
at org.springframework.web.portlet.FrameworkPortlet.initPortletBean(FrameworkPortlet.java:268)
at org.springframework.web.portlet.GenericPortletBean.init(GenericPortletBean.java:116)
at javax.portlet.GenericPortlet.init(GenericPortlet.java:107)
at com.liferay.portlet.InvokerPortletImpl.init(InvokerPortletImpl.java:256)
at com.liferay.portlet.PortletInstanceFactoryImpl.init(PortletInstanceFactoryImpl.java:221)
at com.liferay.portlet.PortletInstanceFactoryImpl.create(PortletInstanceFactoryImpl.java:140)
at com.liferay.portlet.PortletInstanceFactoryUtil.create(PortletInstanceFactoryUtil.java:41)
at com.liferay.portal.deploy.hot.PortletHotDeployListener.initPortletApp(PortletHotDeployListener.java:598)
at com.liferay.portal.deploy.hot.PortletHotDeployListener.doInvokeDeploy(PortletHotDeployListener.java:328)
at com.liferay.portal.deploy.hot.PortletHotDeployListener.invokeDeploy(PortletHotDeployListener.java:120)
... 25 more
Caused by: java.lang.SecurityException: Attempted to access declared members
at com.liferay.portal.security.pacl.checker.BaseChecker.throwSecurityException(BaseChecker.java:259)
at com.liferay.portal.security.pacl.checker.RuntimeChecker.checkPermission(RuntimeChecker.java:71)
at com.liferay.portal.security.pacl.ActivePACLPolicy.checkPermission(ActivePACLPolicy.java:55)
at com.liferay.portal.security.lang.PortalSecurityManager.checkPermission(PortalSecurityManager.java:103)
at com.liferay.portal.security.lang.PortalSecurityManager.checkPermission(PortalSecurityManager.java:74)
at java.lang.SecurityManager.checkMemberAccess(SecurityManager.java:1662)
at java.lang.Class.checkMemberAccess(Class.java:2157)
at java.lang.Class.getDeclaredMethods(Class.java:1790)
at sun.reflect.annotation.AnnotationType$1.run(AnnotationType.java:86)
at sun.reflect.annotation.AnnotationType$1.run(AnnotationType.java:83)
at java.security.AccessController.doPrivileged(Native Method)
at sun.reflect.annotation.AnnotationType.<init>(AnnotationType.java:82)
at sun.reflect.annotation.AnnotationType.getInstance(AnnotationType.java:66)
at sun.reflect.annotation.AnnotationParser.parseAnnotation(AnnotationParser.java:202)
at sun.reflect.annotation.AnnotationParser.parseAnnotations2(AnnotationParser.java:69)
at sun.reflect.annotation.AnnotationParser.parseAnnotations(AnnotationParser.java:52)
at java.lang.Class.initAnnotationsIfNecessary(Class.java:3070)
at java.lang.Class.getAnnotations(Class.java:3050)
at org.springframework.core.type.classreading.AnnotationAttributesReadingVisitor.visitEnd(AnnotationAttributesReadingVisitor.java:131)
at org.springframework.asm.ClassReader.a(Unknown Source)
at org.springframework.asm.ClassReader.accept(Unknown Source)
at org.springframework.asm.ClassReader.accept(Unknown Source)
at org.springframework.core.type.classreading.SimpleMetadataReader.<init>(SimpleMetadataReader.java:54)
at org.springframework.core.type.classreading.SimpleMetadataReaderFactory.getMetadataReader(SimpleMetadataReaderFactory.java:80)
at org.springframework.core.type.classreading.CachingMetadataReaderFactory.getMetadataReader(CachingMetadataReaderFactory.java:101)
at org.springframework.context.annotation.ClassPathScanningCandidateComponentProvider.findCandidateComponents(ClassPathScanningCandidateComponentProvide
r.java:213)
... 56 more
Ray Augé
RE: PACL/Security Manager - help coming
January 16, 2013 9:36 AM
Answer

Ray Augé

LIFERAY STAFF

Rank: Liferay Legend

Posts: 1171

Join Date: February 7, 2005

Recent Posts

Yup, that's the one we're working on.

Reflection is pretty broken. emoticon

We have 3 engineers working on various aspects of the issue as we speak and we're not going to let GA3 come out without fixing this.
Luis Álvarez
RE: PACL/Security Manager - help coming
January 16, 2013 11:40 PM
Answer

Luis Álvarez

Rank: New Member

Posts: 8

Join Date: September 19, 2011

Recent Posts

Probably we'll wait to be solved.
Not sure we can find a workaround.

Thanks Ray
immo biton
RE: PACL/Security Manager - help coming
February 20, 2014 8:57 AM
Answer

immo biton

Rank: New Member

Posts: 1

Join Date: February 20, 2014

Recent Posts

Thank you very much Ray! Really appreciate you taking the extra step to get it out so quickly. emoticon