Developing Plugins with security in mind

At the start of plugin developement, you may not have a clear picture of all the aspects of the portal you’ll need to access, and that’s fine. In fact, we suggest you go ahead and develop your plugin first and address plugin security afterwards. Liferay Portal’s Plugin Security Manager uncovers the resources your plugin tries to access by throwing exceptions if a PACL property does not specifically grant access to those resources. So at the end of development, you may as well put the security manager to work and make it earn its keep.

Here is the suggested plugin development approach:

• Develop your plugin
• Turn on the Plugin Security Manager
• Declare the PACL property values required to satisfy the security manager

The Plugin Security Manager intercepts requests for protected Liferay APIs, letting you know instantly the portal items which you are unauthorized to access. In this way, you can fill in the security manager properties of your plugin’s PACL, so that any protected API you’re accessing can be declared to users of your plugin.

Develop your plugin

First, create your plugin the way you normally would. Design your application, write code, unit test your code, have users beta test your code. In essence, do everything you normally would do.

Turn on the Plugin Security Manager

Next, turn on the security manager (see below), and re-test your application’s functionality. If anything you’re doing in the application needs to be declared in a PACL, this will be revealed to you. As you test, keep track of any issues the security manager reveals during testing.

Declare the PACL properties

Once you’ve identified what you need to declare, add the appropriate properties to your PACL in liferay-plugin-package.properties. Save this file and retest. Make sure everything works. If not, there are other properties you’ll have to declare, so add those and test again. Repeat this process until you have an error-free deployment.

Once this is done, you’re ready to distribute your application.