Hi everyone,

As Ray mentionned, the last LR master let you try the security manager option:
security-manager-enabled=generate

I am working on a Spring-based portlet app, embedding also logback. Using this option, I was able to debug some of PACL settings. But I still get a lot of those messages:

WARN [localhost-startStop-1][RuntimeChecker:101] Attempted to create a class loader
WARN [localhost-startStop-1][RuntimeChecker:101] Attempted to access declared members
WARN [localhost-startStop-1][RuntimeChecker:101] Attempted to get protection domain
WARN [localhost-startStop-1][ReflectChecker:101] Attempted to reflect

The warnings appear at the init phase of logback :

INFO in ch.qos.logback.classic.LoggerContext - Found resource [logback.xml] at [file:.../webapps//WEB-INF/classes/logback.xml]
WARN [localhost-startStop-1][RuntimeChecker:101] Attempted to create a class loader
(warnings here...)
INFO in ch.qos.logback.core.joran.action.AppenderAction - About to instantiate appender of type [ch.qos.logback.core.ConsoleAppender]

Then, when hot deploying the portlets, I get :

INFO: Initializing Spring root WebApplicationContext
INFO Root WebApplicationContext: initialization started
INFO [XmlWebApplicationContext] Refreshing Root WebApplicationContext: startup date [...]; root of context hierarchy
WARN [localhost-startStop-1][RuntimeChecker:101] Attempted to access declared members
WARN [localhost-startStop-1][ReflectChecker:101] Attempted to reflect
WARN [localhost-startStop-1][RuntimeChecker:101] Attempted to get protection domain
WARN [localhost-startStop-1][RuntimeChecker:101] Attempted to get class loader
...
ERROR Context initialization failed
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'xxxDAOFactory': Injection of autowired dependencies failed; nested exception is org.springframework.beans.factory.BeanCreationException: Could not autowire field: private YyyDAO XxxDAOFactory.yyyDAO; nested exception is java.security.AccessControlException: access denied (java.lang.reflect.ReflectPermission suppressAccessChecks) at
org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor.postProcessPropertyValues(AutowiredAnnotationBeanPostProcessor.java:287)
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1073)
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:516)
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:455)
org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:293)
org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222)
org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:290)
org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:192)
org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:585)
org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:895)
org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:425)
org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:282)
org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:204)
org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:47)
com.liferay.portal.kernel.servlet.SecurePluginContextListener.instantiatingListener(SecurePluginContextListener.java:333)
com.liferay.portal.kernel.servlet.SecurePluginContextListener.instantiatingListeners(SecurePluginContextListener.java:157)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
java.lang.reflect.Method.invoke(Method.java:597)
com.liferay.portal.deploy.hot.ServletContextListenerHotDeployListener.doInvokeDeploy(ServletContextListenerHotDeployListener.java:71)
com.liferay.portal.deploy.hot.ServletContextListenerHotDeployListener.invokeDeploy(ServletContextListenerHotDeployListener.java:36)
com.liferay.portal.deploy.hot.HotDeployImpl.doFireDeployEvent(HotDeployImpl.java:186)
com.liferay.portal.deploy.hot.HotDeployImpl.fireDeployEvent(HotDeployImpl.java:95)
...
Caused by: org.springframework.beans.factory.BeanCreationException: Could not autowire field: private YyyDAO XxxDAOFactory.yyyDAO; nested exception is java.security.AccessControlException: access denied (java.lang.reflect.ReflectPermission suppressAccessChecks) at
org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredFieldElement.inject(AutowiredAnnotationBeanPostProcessor.java:506)
org.springframework.beans.factory.annotation.InjectionMetadata.inject(InjectionMetadata.java:84)
org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor.postProcessPropertyValues(AutowiredAnnotationBeanPostProcessor.java:284)
...
Caused by: java.security.AccessControlException: access denied (java.lang.reflect.ReflectPermission suppressAccessChecks) at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
java.security.AccessController.checkPermission(AccessController.java:549)
com.liferay.portal.security.pacl.PortalSecurityManagerImpl.checkPermission(PortalSecurityManagerImpl.java:287)
java.lang.reflect.AccessibleObject.setAccessible(AccessibleObject.java:107)
org.springframework.util.ReflectionUtils.makeAccessible(ReflectionUtils.java:386)
org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredFieldElement.inject(AutowiredAnnotationBeanPostProcessor.java:501)
...
ERROR [localhost-startStop-1][HotDeployImpl:189] com.liferay.portal.kernel.deploy.hot.HotDeployException: Error registering servlet context listeners for
com.liferay.portal.kernel.deploy.hot.HotDeployException: Error registering servlet context listeners for at
com.liferay.portal.kernel.deploy.hot.BaseHotDeployListener.throwHotDeployException(BaseHotDeployListener.java:46)
com.liferay.portal.deploy.hot.ServletContextListenerHotDeployListener.invokeDeploy(ServletContextListenerHotDeployListener.java:39)
com.liferay.portal.deploy.hot.HotDeployImpl.doFireDeployEvent(HotDeployImpl.java:186)
com.liferay.portal.deploy.hot.HotDeployImpl.fireDeployEvent(HotDeployImpl.java:95)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
java.lang.reflect.Method.invoke(Method.java:597)
...
Caused by: java.lang.reflect.InvocationTargetException at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
java.lang.reflect.Method.invoke(Method.java:597)
com.liferay.portal.deploy.hot.ServletContextListenerHotDeployListener.doInvokeDeploy(ServletContextListenerHotDeployListener.java:71)
...
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'xxxDAOFactory': Injection of autowired dependencies failed; nested exception is org.springframework.beans.factory.BeanCreationException: Could not autowire field: private YyyDAO XxxDAOFactory.yyyDAO; nested exception is java.security.AccessControlException: access denied (java.lang.reflect.ReflectPermission suppressAccessChecks) at
org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor.postProcessPropertyValues(AutowiredAnnotationBeanPostProcessor.java:287)
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1073)
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:516)
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:455)
org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:293)
org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222)
...
Caused by: org.springframework.beans.factory.BeanCreationException: Could not autowire field: private YyyDAO XxxDAOFactory.yyyDAO; nested exception is java.security.AccessControlException: access denied (java.lang.reflect.ReflectPermission suppressAccessChecks) at
org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredFieldElement.inject(AutowiredAnnotationBeanPostProcessor.java:506)
org.springframework.beans.factory.annotation.InjectionMetadata.inject(InjectionMetadata.java:84)
org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor.postProcessPropertyValues(AutowiredAnnotationBeanPostProcessor.java:284)
...
Caused by: java.security.AccessControlException: access denied (java.lang.reflect.ReflectPermission suppressAccessChecks) at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
java.security.AccessController.checkPermission(AccessController.java:549)
com.liferay.portal.security.pacl.PortalSecurityManagerImpl.checkPermission(PortalSecurityManagerImpl.java:287)
...

Do anyone know about a method to intercept all security exceptions, and how to deal with ? I guess that most of my problems come from objects that are not listed in security-manager-get-bean-property and security-manager-set-bean-property.

Thanks in advance,
Philippe

Philippe can you create a base test case plugin which causes the issue and I will test it (and attach it to this thread?).

A couple of notes:
First


This should technically only happen if the target class of the accessibility change comes from a classloader foreign of your plugin (i.e. which could be a malicious attempt to change the accessibility of Members in outside classes. However, perhaps autowire is sufficiently confusing to cause the failure when the class is not actually foreign, and I think I have an idea why that might be. A base code from you would help me quickly solve that problem.

Second Unless they actually cause problems for your application, these warnings:

should be harmless and allow you to continue.

Thanks Ray,

In what form would you prefer ?

I guess I can provide you with something simple around the logback problem. About the Spring injection, my app is becoming big, so I must think about narrowing the test case around the problem.

Philippe

If the logback issue is actually breaking then sure a sample app that shows that alone would be very helpful. (I wasn't clear whether it was just warnings coming up because of it or it was failing completely.)

In case of the spring autowire issue, a minimalistic test case plugin would be great as well. The reason It would be great if it came from outside, namely from you, then I know with certainty that I'm not using some trick without realizing it to make things work. If you send me a plugin which you are sure is causing the same issue, and I test exactly that code, we eliminate discrepancies in the "implementation" which could become suspect.

Hi Ray,

I have built a pure Spring portlet, with the environment we use, for testing purpose. It uses ContextLoaderListener and RequestContextFilter (in web.xml).

In logback.xml, logback as well as Spring bean generation is in debug mode. With this sample, some extra logs are done in the servlet container log directory.

Using generate option for security-manager-enabled, you can see those warnings:
- WARN [RuntimeChecker:101] Attempted to get protection domain
- WARN [RuntimeChecker:101] Attempted to get class loader
- WARN [RuntimeChecker:101] Attempted to access declared members

Here are some extra remarks I have found.

1. security-manager-enabled generates security-manager-environment-variables=\*, I guess it means security-manager-environment-variables=\\*.

2. PortletContext.getRealPath("/") returns a copy of the portlet directory in the temp directory, instead of the 'real' portlet directory. We would like to let admins upload some configuration files (such as Spring translation 'messages.properties' files) into the WEB-INF directory, and we use the 'edit_defaults' mode for that, as declared in resource-actions/spring-portlet.xml. It seems that this is not possible anymore. Are Control Panel portlets allowed to upload into the WEB-INF directory, just like admins are allowed to install portlets using the Control Panel ?

Thanks, Ray, for your help.
Philippe

Hello again Ray,



Your remark about a classloader foreign to my portlet reminds me that I use also cglib.

Should I add a test explicitely using cglib in the sample portlet ?

Philippe

Sorry Ray,

I forgot to add in WEB-INF/spring/portlet-context.xml, just before <context:component-scan...> :

<bean class="org.springframework.web.portlet.mvc.annotation.DefaultAnnotationHandlerMapping"/>
<bean class="org.springframework.web.portlet.mvc.annotation.AnnotationMethodHandlerAdapter"/>

Philippe

Thank you very much Philippe. I'll test these out as soon as I get a chance.

I appreciate the effort.

You are welcomed. Feel free to ask me about any further information on this sample portlet.

I have created LPS-34370 on the same subject, with the same posted project - without a small bug in the sample posted here. But the idea is the same.

Hope this helps, and thanks Ray for your test,
Philippe

Hey Philippe,

I've been working on this the last couple of days.

First thing, I solved the spring problems I think I have eliminated most cases that were problematic:

#1 tune the default logging (simple fix)
#2 don't hide unhandled errors while "generate" is enabled (bug)
#3 new property for RuntimePermission "createClassLoader" (sys admins: allow plugins that have this at own risk)
#4 new property for RuntimePermission "getProtectionDomain" (sys admins: allow plugins that have this at own risk)
#5 avoid many cases where the "checkMemberAccess" permission check is against own code

Lastly, logback WOW this one is very bad. I'm not entirely sure why this library does what it does, but it basically wants unrestricted access to the classloader of any class in the stack. I'm not sure what to do about it. I actually filled a bug for it: http://jira.qos.ch/browse/LOGBACK-880

I also got the logback source, and tried to fix it myself. I working on this at the moment, but I'm not confident that I'll solve this in short order. Basically, logback will require one to get the classloader of any class and that effectively means you need to create a WEB-INF/java.policy file which contains:



which I hope everyone can see is a frightfully wide permission to have to grant a plugin.

I believe I managed to solve the logback issue.

I will send a pull request for future versions of logback to work correctly with security enabled.

Lastly, I get a NullPointerException when trying to update the "preferences" and I'm not sure if it's a PACL related issue, or a bug in the sample code. I don't have the java source so I can't tell.

If you could attach a portlet which includes the source code? That would be really great!

Hi Ray,

We really thank you for having worked on this.



Because of the class-loading issue of logback, we are trying to go back to Log4j.

In fact, we badly need to use a system property in log4j.properties, that is not necessarily set by the user. So we ended using a ServletContextListener as a listener in web.xml. But we just discovered that our listener is not loaded by Liferay 6.1.x with security-manager enabled (LPS-37587) !!!

So we are kind of trapped right now on this issue :-(

About the other problems, namely class-loading, domain protection and reflection, we have kind of succeeded in getting around them, so they are no more that critical.

Philippe

Hi again,



Here is the code, hope this will help you.

Philippe