I'm developing a plugin with Vaadin 7, and started working with PACL enabled. I soon encountered the following stack trace:
111:13:21,510 ERROR [http-bio-8080-exec-37][render_portlet_jsp:154] java.lang.SecurityException: Attempted to access declared members
2 at com.liferay.portal.security.pacl.checker.BaseChecker.throwSecurityException(BaseChecker.java:259)
3 at com.liferay.portal.security.pacl.checker.RuntimeChecker.checkPermission(RuntimeChecker.java:71)
4 at com.liferay.portal.security.pacl.ActivePACLPolicy.checkPermission(ActivePACLPolicy.java:55)
5 at com.liferay.portal.security.lang.PortalSecurityManager.checkPermission(PortalSecurityManager.java:103)
6 at com.liferay.portal.security.lang.PortalSecurityManager.checkPermission(PortalSecurityManager.java:74)
7 at java.lang.SecurityManager.checkMemberAccess(SecurityManager.java:1662)
8 at java.lang.Class.checkMemberAccess(Class.java:2157)
9 at java.lang.Class.getDeclaredMethods(Class.java:1790)
10 at java.lang.Class.initAnnotationsIfNecessary(Class.java:3070)
11 at java.lang.Class.getAnnotation(Class.java:3029)
12 at com.vaadin.server.UIProvider.getAnnotationFor(UIProvider.java:58)
13 at com.vaadin.server.UIProvider.getWidgetset(UIProvider.java:115)
14 [...snip...]
The Vaadin code in question apparently tries to read an annotation off an UI class in the Vaadin application (i.e. nothing regarding Liferay should be going on at that point in time). After debugging the code, i ended up at
BaseReflectChecker.hasReflect(), where
callerClass9 gets evaluated as
sun.reflect.annotation.AnnotationType$1 and
callerClass7 is evaluated as
java.lang.Class.
I found no way to configure this, and reading from the source code, all logic regarding member access in this situation is a hard-coded whitelist in Liferay 6.1.1
I'm trying to verify, is this issue fixed by
http://issues.liferay.com/browse/LPS-30769, and to be released in 6.1.2 at some point in time, or am I facing an unrelated problem?