Vue combinée Vue Plate Arborescence
toggle
Vitaly Lyapin
Issues with PACL
10 janvier 2013 23:21
Réponse

Vitaly Lyapin

Rang: Youngling

Publications: 0

Date d'inscription: 1 novembre 2012

Publications Récentes

Hello!

Seems that Liferay PACL security rules doesn't support some JDBC libraries like orbroker (http://code.google.com/p/orbroker/) and blocks connections to data source. And this cannot be fixed only with PACL settings liferay-plugin-package.property file.
This is blocking issue for us, because we cannot post application into Marketplace with security off.

In our project we got two types of issues:
1. "Attempt to reflect", which is caused by ReflectChecker. This checker doesn't have rules for java.io.ObjectStreamClass which is used by postgres jdbc driver so we got an exception (only few classes are allowed to reflect in Liferay sources).
This appear in Liferay CE 6.1.1+ and in Liferay EE 6.1.20

2. In Liferay CE (but not in EE) we can fix previous issue with adding "security-manager-sockets-connect" with address of our postgres server (no ideas how this affects reflect checker), but this leads to another two problems:
- for production version we must fill "security-manager-sockets-connect" with list of all addresses we want to connect, but this is impossible, because we cannot predict all addresses of DB servers which users can use
- even if we add this addresses, we got another exception with RuntimeChecker: in Liferay sources it allows read file descriptor only from java.lang.ProcessImpl, but in our code we connect to DB via network, and code fail on checking read file descriptor permission from java.net.SocketInputStream.

It will be great if PACL will be more flexible without a lot of hardcoded restrictions.
Raymond Augé
RE: Issues with PACL
15 janvier 2013 12:47
Réponse

Raymond Augé

Rang: Youngling

Publications: 0

Date d'inscription: 7 février 2005

Publications Récentes

We've fixed the socket naming issue with this:

http://issues.liferay.com/browse/LPS-32235

This lets you define the full syntax for SocketPermissions defined here (including wildcards):

http://docs.oracle.com/javase/6/docs/api/java/net/SocketPermission.html

i.e. *:* works to mean any host at any port.
Raymond Augé
RE: Issues with PACL
15 janvier 2013 12:49
Réponse

Raymond Augé

Rang: Youngling

Publications: 0

Date d'inscription: 7 février 2005

Publications Récentes

Regarding the FileDescriptor issue. Can you file a ticket for that specifically with perhaps a minimal test case? It would be it easier to get to it fast.
Raymond Augé
RE: Issues with PACL
15 janvier 2013 13:06
Réponse

Raymond Augé

Rang: Youngling

Publications: 0

Date d'inscription: 7 février 2005

Publications Récentes

Also, there is no such thing I can find as java.net.SocketInputStream in Java6 or Java7. Can you clarify or identify the correct class?
Vitaly Lyapin
RE: Issues with PACL
17 janvier 2013 03:59
Réponse

Vitaly Lyapin

Rang: Youngling

Publications: 0

Date d'inscription: 1 novembre 2012

Publications Récentes

I create task here http://issues.liferay.com/browse/LPS-32386
Sample project and full stack trace included.

Forums

To access the Developer Forum, please login to your Liferay.com account if you are already a registered developer or register to become a developer.