Foren

  1. Startseite
  2. Portal
  3. Liferay 6.0 Security patch references Liferay 6.2 class ?

Liferay 6.0 Security patch references Liferay 6.2 class ?

Guillaume Gauthier, geändert vor 8 Jahren.

Liferay 6.0 Security patch references Liferay 6.2 class ?

New Member Beiträge: 7 Beitrittsdatum: 23.06.14 Neueste Beiträge
Hello,

I patched my Liferay 6.0.11 using the Cumulative Security Update 5 for Liferay 6.0.11 downloaded here : https://www.liferay.com/fr/group/customer/products/portal/security-vulnerability/cumulative-patches-for-6.0.10-and-6.0.11.
Once I applied this to my Liferay server (bundled with Tomcat), it seems to break the build of my Liferay Plugin SDK.

Here is the error (ant build-service in a portlet):
     [java] Loading jar:file:/home/gugau/Projets/vgf/bundle/tomcat-6.0.29/webapps/ROOT/WEB-INF/lib/portal-impl.jar!/com/liferay/portal/tools/dependencies/portal-tools.properties
     [java] org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'com.liferay.portal.kernel.xml.SAXReader' defined in class path resource [META-INF/util-spring.xml]: Instantiation of bean failed; nested exception is java.lang.NoClassDefFoundError: com/liferay/portal/security/xml/SecureXMLFactoryProvider
     [java] 	at org.apache.tools.ant.taskdefs.ExecuteJava.execute(ExecuteJava.java:194)
     [java] 	at org.apache.tools.ant.taskdefs.Java.run(Java.java:771)
     [java] 	at org.apache.tools.ant.taskdefs.Java.executeJava(Java.java:221)
     [java] 	at org.apache.tools.ant.taskdefs.Java.executeJava(Java.java:135)
     [java] 	at org.apache.tools.ant.taskdefs.Java.execute(Java.java:108)
     [java] 	at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:291)
     [java] 	at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
     [java] 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     [java] 	at java.lang.reflect.Method.invoke(Method.java:597)
     [java] 	at org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:106)
     [java] 	at org.apache.tools.ant.Task.perform(Task.java:348)
     [java] 	at org.apache.tools.ant.Target.execute(Target.java:390)
     [java] 	at org.apache.tools.ant.Target.performTasks(Target.java:411)
     [java] 	at org.apache.tools.ant.Project.executeSortedTargets(Project.java:1399)
     [java] 	at org.apache.tools.ant.Project.executeTarget(Project.java:1368)
     [java] 	at org.apache.tools.ant.helper.DefaultExecutor.executeTargets(DefaultExecutor.java:41)
     [java] 	at org.apache.tools.ant.Project.executeTargets(Project.java:1251)
     [java] 	at org.apache.tools.ant.Main.runBuild(Main.java:809)
     [java] 	at org.apache.tools.ant.Main.startAnt(Main.java:217)
     [java] 	at org.apache.tools.ant.launch.Launcher.run(Launcher.java:280)
     [java] 	at org.apache.tools.ant.launch.Launcher.main(Launcher.java:109)
     [java] Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'com.liferay.portal.kernel.xml.SAXReader' defined in class path resource [META-INF/util-spring.xml]: Instantiation of bean failed; nested exception is java.lang.NoClassDefFoundError: com/liferay/portal/security/xml/SecureXMLFactoryProvider
     [java] 	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateBean(AbstractAutowireCapableBeanFactory.java:965)
     [java] 	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:911)
     [java] 	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:485)
     [java] 	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456)
     [java] 	at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:291)
     [java] 	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222)
     [java] 	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:288)
     [java] 	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:190)
     [java] 	at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:580)
     [java] 	at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:895)
     [java] 	at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:425)
     [java] 	at org.springframework.context.support.ClassPathXmlApplicationContext.<init>(ClassPathXmlApplicationContext.java:139)
     [java] 	at org.springframework.context.support.ClassPathXmlApplicationContext.<init>(ClassPathXmlApplicationContext.java:93)
     [java] 	at com.liferay.portal.spring.context.ArrayApplicationContext.<init>(ArrayApplicationContext.java:31)
     [java] 	at com.liferay.portal.spring.util.SpringUtil.loadContext(SpringUtil.java:56)
     [java] 	at com.liferay.portal.util.InitUtil.initWithSpring(InitUtil.java:157)
     [java] 	at com.liferay.portal.tools.servicebuilder.ServiceBuilder.main(ServiceBuilder.java:111)
     [java] 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     [java] 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     [java] 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     [java] 	at java.lang.reflect.Method.invoke(Method.java:597)
     [java] 	at org.apache.tools.ant.taskdefs.ExecuteJava.run(ExecuteJava.java:217)
     [java] 	at org.apache.tools.ant.taskdefs.ExecuteJava.execute(ExecuteJava.java:152)
     [java] 	... 20 more
     [java] Caused by: java.lang.NoClassDefFoundError: com/liferay/portal/security/xml/SecureXMLFactoryProvider
     [java] 	at java.lang.Class.getDeclaredConstructors0(Native Method)
     [java] 	at java.lang.Class.privateGetDeclaredConstructors(Class.java:2389)
     [java] 	at java.lang.Class.getConstructor0(Class.java:2699)
     [java] 	at java.lang.Class.getDeclaredConstructor(Class.java:1985)
     [java] 	at org.springframework.beans.factory.support.SimpleInstantiationStrategy$1.run(SimpleInstantiationStrategy.java:60)
     [java] 	at org.springframework.beans.factory.support.SimpleInstantiationStrategy$1.run(SimpleInstantiationStrategy.java:1)
     [java] 	at java.security.AccessController.doPrivileged(Native Method)
     [java] 	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:58)
     [java] 	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory$3.run(AbstractAutowireCapableBeanFactory.java:953)
     [java] 	at java.security.AccessController.doPrivileged(Native Method)
     [java] 	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateBean(AbstractAutowireCapableBeanFactory.java:951)
     [java] 	... 42 more
     [java] Caused by: java.lang.ClassNotFoundException: com.liferay.portal.security.xml.SecureXMLFactoryProvider
     [java] 	at org.apache.tools.ant.AntClassLoader.findClassInComponents(AntClassLoader.java:1361)
     [java] 	at org.apache.tools.ant.AntClassLoader.findClass(AntClassLoader.java:1311)
     [java] 	at org.apache.tools.ant.AntClassLoader.loadClass(AntClassLoader.java:1070)
     [java] 	at java.lang.ClassLoader.loadClass(ClassLoader.java:247)
     [java] 	... 53 more</init></init></init>

I found that when I remove the file lsvcumulative5-ee6011-portal-impl-jdk6.jar provided by the patch from the ROOT/WEB-INF/lib directory I only have this line in the log:
     [java] Loading jar:file:/home/gugau/Projets/vgf/bundle/tomcat-6.0.29/webapps/ROOT/WEB-INF/lib/portal-impl.jar!/com/liferay/portal/tools/dependencies/portal-tools.properties

And the build continues normally.

I looked into this jar and found the class com.liferay.portal.security.xml.SecureXMLFactoryProviderImpl which contains references to the com.liferay.portal.security.xml.SecureXMLFactoryProvider interface only provided in Liferay 6.2 (according to Liferay's javadocs).
So, the loading of the jar fail and make the build crash.

Here is my question: why is this class in the jar provided by the patch ? Have I missed something ?

Thank in advance.
thumbnail
David H Nebinger, geändert vor 8 Jahren.

RE: Liferay 6.0 Security patch references Liferay 6.2 class ?

Liferay Legend Beiträge: 14919 Beitrittsdatum: 02.09.06 Neueste Beiträge
Guillaume Gauthier:
Here is my question: why is this class in the jar provided by the patch ? Have I missed something ?


Yeah, you missed reporting this via a LESA ticket and getting support for your Liferay EE subscription.

Did they make a mistake? Does the patch have a dependency that you didn't apply?

I don't know, but I do know that support is the way to go to help get it resolved...
Guillaume Gauthier, geändert vor 8 Jahren.

RE: Liferay 6.0 Security patch references Liferay 6.2 class ?

New Member Beiträge: 7 Beitrittsdatum: 23.06.14 Neueste Beiträge
Hello,

I don't have access to Liferay EE support, I only have a partner account used to get the security update. Only the client who I work for have full access to Liferay EE support, he give me Liferay EE developer licence.
Actually, it's not possible to ask access to this account or to ask my client to get support for me. Otherwise, I would have ask Liferay EE support.
However, thank for your answer.

I'm not really familiar with how work Liferay EE support but It seems I can't get help nowhere else than here.
thumbnail
David H Nebinger, geändert vor 8 Jahren.

RE: Liferay 6.0 Security patch references Liferay 6.2 class ?

Liferay Legend Beiträge: 14919 Beitrittsdatum: 02.09.06 Neueste Beiträge
EE support are the ones creating the patches. EE support would be the ones to reissue the corrected patch to remove the 6.2 reference.

The forums have very little to do with EE specific issues such as licensing, patches, etc.

We can really only provide assistance for CE.
thumbnail
Leo Pratlong, geändert vor 8 Jahren.

RE: Liferay 6.0 Security patch references Liferay 6.2 class ?

Expert Beiträge: 363 Beitrittsdatum: 06.07.10 Neueste Beiträge
Hi,

We got it!
There is finally no problem with SecureXMLFactoryProvider for the Liferay execution since all needed classes are present in portal-impl and portal-service cumulative patchs. However, since we've putted portal-service patch (lsvcumulative...-portal-service....jar) in a "liferay-patched" folder (following patching instructions), ANT SDK is not able to find sources in this place.

Although the instruction says to modify catalina.properties to ensure Tomcat to add this folder to its classpath, it does not indicate to make change on ANT SDK. So, true, the portal is running, but we are not able to make a build anymore.

Here is the fix for the ANT SDK (NB that some line number may not be right since I have maybe made other changes in the past). In fact, I just add liferay-patched folder to the classpath of our builds.

diff --git a/liferay-plugins-sdk-6.0-ee-sp1/build-common-plugin.xml b/liferay-plugins-sdk-6.0-ee-sp1/build-common-plugin.xml
index eab1aec..0129bf7 100644
--- a/liferay-plugins-sdk-6.0-ee-sp1/build-common-plugin.xml
+++ b/liferay-plugins-sdk-6.0-ee-sp1/build-common-plugin.xml
@@ -206,7 +206,7 @@
<delete file="docroot/WEB-INF/lib/${plugin.name}-service.jar" />

<path id="service.classpath">
- <fileset dir="${app.server.lib.global.dir}" includes="*.jar" />
+ <fileset dir="${app.server.lib.global.dir}" includes="liferay-patched/*.jar,*.jar" />
<fileset dir="${project.dir}/lib" includes="activation.jar,jsp-api.jar,mail.jar,servlet-api.jar" />
<fileset dir="docroot/WEB-INF/lib" excludes="${plugin.name}-service.jar" includes="*.jar" />
</path>
@@ -722,4 +722,4 @@ Please find a solution that does not require portal-impl.jar.
</else>
</if>
</target>
-</project>
\ No newline at end of file
+</project>
diff --git a/liferay-plugins-sdk-6.0-ee-sp1/build-common.xml b/liferay-plugins-sdk-6.0-ee-sp1/build-common.xml
index 6f9d08a..fc76794 100644
--- a/liferay-plugins-sdk-6.0-ee-sp1/build-common.xml
+++ b/liferay-plugins-sdk-6.0-ee-sp1/build-common.xml
@@ -18,14 +18,14 @@

<path id="plugin.classpath">
<path refid="plugin-lib.classpath" />
- <fileset dir="${app.server.lib.global.dir}" includes="*.jar" />
+ <fileset dir="${app.server.lib.global.dir}" includes="liferay-patched/*.jar,*.jar" />
<fileset dir="${app.server.lib.portal.dir}" includes="annotations.jar,commons-logging.jar,log4j.jar,util-bridges.jar,util-java.jar,util-taglib.jar" />
<fileset dir="${project.dir}/lib" includes="activation.jar,jsp-api.jar,mail.jar,servlet-api.jar" />
</path>

<path id="portal.classpath">
<pathelement location="${app.server.classes.portal.dir}" />
- <fileset dir="${app.server.lib.global.dir}" includes="*.jar" />
+ <fileset dir="${app.server.lib.global.dir}" includes="liferay-patched/*.jar,*.jar" />
<fileset dir="${app.server.lib.portal.dir}" includes="*.jar" />
<fileset dir="${project.dir}/lib" includes="activation.jar,jsp-api.jar,servlet-api.jar" />
</path>
@@ -147,4 +147,4 @@ ECJ was automatically installed. Please rerun your task.
<jvmarg value="-Dplugins.env.eclipse=false" />
</java>
</target>
-</project>
\ No newline at end of file
+</project>


Bye!