Vue combinée Vue Plate Arborescence
toggle
Philippe Tran
PACL, ReflectPermission and Spring form tag on Liferay 6.1.x
11 juillet 2013 12:17
Réponse

Philippe Tran

Rang: Junior Member

Publications: 34

Date d'inscription: 22 janvier 2009

Publications Récentes

Hi everyone,

I have a Spring form displaying a dynamic list of <select>, just like :

 1...
 2<%@ taglib prefix="sf" uri="http://www.springframework.org/tags/form" %>
 3<sf:form method="post" action="${navigationActionURL}" commandName="navCommand">
 4  <c:forEach var="parm" items="${parameters}" varStatus="parmStatus">
 5    <p><sf:label path="parameters[${parm.key}]"><c:out value="${parm.label}"/></sf:label>
 6    <sf:select path="parameters[${parm.key}]">
 7      <sf:option value="" label="${parm.option}"/>
 8      <c:if test="${parm.options != null && fn:length(parm.options) > 0}">
 9        <sf:options items="${parm.options}" itemValue="valueEncoded" itemLabel="label"/>
10      </c:if>
11    </sf:select></p>
12  </c:forEach>
13</sf:form>


Everything works OK.

With security-manager enabled, I get a java.lang.SecurityException: Attempted to access declared members,
with this stack trace:

at com.liferay.portal.security.pacl.checker.BaseChecker.throwSecurityException(BaseChecker.java:262)
at com.liferay.portal.security.pacl.checker.RuntimeChecker.checkPermission(RuntimeChecker.java:73)
at com.liferay.portal.security.pacl.ActivePACLPolicy.checkPermission(ActivePACLPolicy.java:55)
at com.liferay.portal.security.lang.PortalSecurityManager.checkPermission(PortalSecurityManager.java:103)
at com.liferay.portal.security.lang.PortalSecurityManager.checkPermission(PortalSecurityManager.java:74)
at java.lang.SecurityManager.checkMemberAccess(SecurityManager.java:1662)
at java.lang.Class.checkMemberAccess(Class.java:2159)
at java.lang.Class.getDeclaredMethods(Class.java:1792)

at org.springframework.core.convert.support.IdToEntityConverter.getFinder(IdToEntityConverter.java:69)
at org.springframework.core.convert.support.IdToEntityConverter.matches(IdToEntityConverter.java:52)
at org.springframework.core.convert.support.GenericConversionService$MatchableConverters.matchConverter(GenericConversionService.java:500)
at org.springframework.core.convert.support.GenericConversionService.matchConverter(GenericConversionService.java:411)
at org.springframework.core.convert.support.GenericConversionService.getMatchingConverterForTarget(GenericConversionService.java:371)
at org.springframework.core.convert.support.GenericConversionService.findConverterForClassPair(GenericConversionService.java:301)
at org.springframework.core.convert.support.GenericConversionService.getConverter(GenericConversionService.java:220)
at org.springframework.core.convert.support.GenericConversionService.canConvert(GenericConversionService.java:135)
at org.springframework.validation.AbstractPropertyBindingResult.formatFieldValue(AbstractPropertyBindingResult.java:123)
at org.springframework.validation.AbstractBindingResult.getFieldValue(AbstractBindingResult.java:228)
at org.springframework.web.servlet.support.BindStatus.<init>(BindStatus.java:120)
at org.springframework.web.servlet.tags.form.AbstractDataBoundFormElementTag.getBindStatus(AbstractDataBoundFormElementTag.java:174)
at org.springframework.web.servlet.tags.form.AbstractDataBoundFormElementTag.getPropertyPath(AbstractDataBoundFormElementTag.java:194)
at org.springframework.web.servlet.tags.form.LabelTag.autogenerateFor(LabelTag.java:129)
at org.springframework.web.servlet.tags.form.LabelTag.resolveFor(LabelTag.java:119)
at org.springframework.web.servlet.tags.form.LabelTag.writeTagContent(LabelTag.java:89)
at org.springframework.web.servlet.tags.form.AbstractFormTag.doStartTagInternal(AbstractFormTag.java:102)
at org.springframework.web.servlet.tags.RequestContextAwareTag.doStartTag(RequestContextAwareTag.java:79)
at org.apache.jsp.WEB_002dINF.jsp.navigator_jsp._jspx_meth_sf_005flabel_005f0(navigator_jsp.java:732)
at org.apache.jsp.WEB_002dINF.jsp.navigator_jsp._jspService(navigator_jsp.java:303)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:432)
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:390)
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:334)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:72)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:70)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:206)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:108)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilter.doFilter(InvokerFilter.java:73)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:684)
at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:593)
at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:530)
at org.springframework.web.servlet.view.InternalResourceView.renderMergedOutputModel(InternalResourceView.java:229)
at org.springframework.web.servlet.view.AbstractView.render(AbstractView.java:250)
at org.springframework.web.servlet.ViewRendererServlet.renderView(ViewRendererServlet.java:114)
at org.springframework.web.servlet.ViewRendererServlet.processRequest(ViewRendererServlet.java:86)
at org.springframework.web.servlet.ViewRendererServlet.doGet(ViewRendererServlet.java:66)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:72)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:70)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:206)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:108)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilter.doFilter(InvokerFilter.java:73)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:684)
at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:593)
at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:530)
at com.liferay.portlet.PortletRequestDispatcherImpl.dispatch(PortletRequestDispatcherImpl.java:323)
at com.liferay.portlet.PortletRequestDispatcherImpl.include(PortletRequestDispatcherImpl.java:105)
at org.springframework.web.portlet.DispatcherPortlet.doRender(DispatcherPortlet.java:1137)
at org.springframework.web.portlet.DispatcherPortlet.render(DispatcherPortlet.java:1092)
at org.springframework.web.portlet.DispatcherPortlet.doRenderService(DispatcherPortlet.java:755)
at org.springframework.web.portlet.FrameworkPortlet.processRequest(FrameworkPortlet.java:522)
at org.springframework.web.portlet.FrameworkPortlet.doDispatch(FrameworkPortlet.java:470)
at javax.portlet.GenericPortlet.render(GenericPortlet.java:233)
at com.liferay.portlet.FilterChainImpl.doFilter(FilterChainImpl.java:100)
at com.liferay.portal.kernel.portlet.PortletFilterUtil.doFilter(PortletFilterUtil.java:64)
at com.liferay.portal.kernel.servlet.PortletServlet.service(PortletServlet.java:111)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:72)
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:83)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:206)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:108)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilter.doFilter(InvokerFilter.java:73)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:684)
at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:593)
at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:530)
at com.liferay.portlet.InvokerPortletImpl.invoke(InvokerPortletImpl.java:534)
at com.liferay.portlet.InvokerPortletImpl.invokeRender(InvokerPortletImpl.java:607)
at com.liferay.portlet.InvokerPortletImpl.render(InvokerPortletImpl.java:359)
at org.apache.jsp.html.portal.render_005fportlet_jsp._jspService(render_005fportlet_jsp.java:1207)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at com.liferay.portal.servlet.DirectRequestDispatcher.include(DirectRequestDispatcher.java:97)
at com.liferay.portal.servlet.PACLRequestDispatcherWrapper.doDispatch(PACLRequestDispatcherWrapper.java:90)
at com.liferay.portal.servlet.PACLRequestDispatcherWrapper.include(PACLRequestDispatcherWrapper.java:54)
at com.liferay.portal.util.PortalImpl.renderPortlet(PortalImpl.java:5158)
at com.liferay.portal.util.PortalUtil.renderPortlet(PortalUtil.java:1569)
at com.liferay.portlet.layoutconfiguration.util.RuntimePortletImpl.processPortlet(RuntimePortletImpl.java:165)
at com.liferay.portlet.layoutconfiguration.util.RuntimePortletImpl.processPortlet(RuntimePortletImpl.java:97)
...


Caused by:
<p><sf:label path="parameters[${parm.key}]"><c:out value="${parm.label}"/></sf:label>

It looks like the Spring "label" tag needs the ReflectPermission, and didn't get it to do its job.

Looking through Liferay 6.1.x code, and specifically BaseReflectChecker.hasReflect(String name, String actions), it seems that the above case is not managed.

So I added this at the end of BaseReflectChecker.hasReflect():

 1for (int i = 9; i <= 30; i++) {
 2    Class callerClass = Reflection.getCallerClass(i);
 3    if (callerClass == org.apache.jasper.runtime.HttpJspBase.class) // && ServerDetector.isTomcat() ???
 4    {
 5        //System.out.println("ReflectPermission allowed to '" + name + "' for '" + actions + "' (at level " + i + ")");
 6        logReflect(callerClass, i);
 7        return true;
 8    }
 9}


As Ray would write, it is a "working" albeit naive fix.

Do you think it is the right way to do ? Do I need to file a bug ?

Philippe
Vilmos Papp
RE: PACL, ReflectPermission and Spring form tag on Liferay 6.1.x
11 juillet 2013 13:47
Réponse

Vilmos Papp

LIFERAY STAFF

Rang: Liferay Master

Publications: 521

Date d'inscription: 21 octobre 2010

Publications Récentes

Hi Philippe,

Before filing a bug, please try to verify that the issue still exists on current trunk or the latest milestone as many PACL related issue is already fixed by Ray and other core engineers.

If you find it haven't fixed it yet, please open a JIRA ticket and paste the link of it to here so I can watch it. If you have your fix just submit as a contributed solution, so we could analyze it whether it follows the patterns we use for similar cases.

Cheers,
Vilmos
Philippe Tran
RE: PACL, ReflectPermission and Spring form tag on Liferay 6.1.x
11 juillet 2013 15:12
Réponse

Philippe Tran

Rang: Junior Member

Publications: 34

Date d'inscription: 22 janvier 2009

Publications Récentes

Hi Vilmos,

I found a similar problem with the action phase. I will check everything with the latest 6.1.x from github, and see what I can do.

Philippe
Philippe Tran
RE: PACL, ReflectPermission and Spring form tag on Liferay 6.1.x
11 juillet 2013 16:07
Réponse

Philippe Tran

Rang: Junior Member

Publications: 34

Date d'inscription: 22 janvier 2009

Publications Récentes

Hi again Vilmos,

Vilmos Papp:
Before filing a bug, please try to verify that the issue still exists on current trunk or the latest milestone as many PACL related issue is already fixed by Ray and other core engineers.


In fact, I can't check :
- the latest 6.1.x source code is not available (the one in github is really outdated),
- because of LPS-35422, I can't use the latest milestone (from 6.2.0 M5) to test my app.

What should I do ?

Philippe
Ray Augé
RE: PACL, ReflectPermission and Spring form tag on Liferay 6.1.x
11 juillet 2013 16:11
Réponse

Ray Augé

LIFERAY STAFF

Rang: Liferay Legend

Publications: 1195

Date d'inscription: 7 février 2005

Publications Récentes

Philippe, I'm also just looking at that bug and it's related to the issue http://issues.liferay.com/browse/LPS-37587 and http://issues.liferay.com/browse/LPS-37483.
Philippe Tran
RE: PACL, ReflectPermission and Spring form tag on Liferay 6.1.x
11 juillet 2013 16:22
Réponse

Philippe Tran

Rang: Junior Member

Publications: 34

Date d'inscription: 22 janvier 2009

Publications Récentes

Well, Ray, the one I'm describing here is quite different.

It's related to the fact the <sf:label> Spring tag (and maybe others ?) in JSP page calls getDeclaredMembers() at the render phase. In return, at the action phase, the Spring web data binder, that binds the form to a Spring bean, also calls getDeclaredMembers().

At the end of the chain, the "culprit" is org.springframework.core.convert.support.IdToEntityConverter.getFinder(), that has no reflectPermission. So everything ended with a SecurityException (at least in my patched 6.1.1 ga2). I haven't checked with 6.2.0 Mx - because of the problem I described above.

What do you think about this case ?

Philippe
Ray Augé
RE: PACL, ReflectPermission and Spring form tag on Liferay 6.1.x
11 juillet 2013 16:26
Réponse

Ray Augé

LIFERAY STAFF

Rang: Liferay Legend

Publications: 1195

Date d'inscription: 7 février 2005

Publications Récentes

I haven't tested the scenario exactly yet cause. But I will be on it soon.
Vilmos Papp
RE: PACL, ReflectPermission and Spring form tag on Liferay 6.1.x
12 juillet 2013 05:43
Réponse

Vilmos Papp

LIFERAY STAFF

Rang: Liferay Master

Publications: 521

Date d'inscription: 21 octobre 2010

Publications Récentes

Hi Philippe,

As Ray already joined the discussion I think I cannot give better answers than him. So let's wait for a while whether he has time to check it as he wrote.

Cheers,
Vilmos