Hi everyone,

I have a Spring form displaying a dynamic list of <select>, just like :



Everything works OK.

With security-manager enabled, I get a java.lang.SecurityException: Attempted to access declared members,
with this stack trace:

at com.liferay.portal.security.pacl.checker.BaseChecker.throwSecurityException(BaseChecker.java:262)
at com.liferay.portal.security.pacl.checker.RuntimeChecker.checkPermission(RuntimeChecker.java:73)
at com.liferay.portal.security.pacl.ActivePACLPolicy.checkPermission(ActivePACLPolicy.java:55)
at com.liferay.portal.security.lang.PortalSecurityManager.checkPermission(PortalSecurityManager.java:103)
at com.liferay.portal.security.lang.PortalSecurityManager.checkPermission(PortalSecurityManager.java:74)
at java.lang.SecurityManager.checkMemberAccess(SecurityManager.java:1662)
at java.lang.Class.checkMemberAccess(Class.java:2159)
at java.lang.Class.getDeclaredMethods(Class.java:1792)

at org.springframework.core.convert.support.IdToEntityConverter.getFinder(IdToEntityConverter.java:69)
at org.springframework.core.convert.support.IdToEntityConverter.matches(IdToEntityConverter.java:52)
at org.springframework.core.convert.support.GenericConversionService$MatchableConverters.matchConverter(GenericConversionService.java:500)
at org.springframework.core.convert.support.GenericConversionService.matchConverter(GenericConversionService.java:411)
at org.springframework.core.convert.support.GenericConversionService.getMatchingConverterForTarget(GenericConversionService.java:371)
at org.springframework.core.convert.support.GenericConversionService.findConverterForClassPair(GenericConversionService.java:301)
at org.springframework.core.convert.support.GenericConversionService.getConverter(GenericConversionService.java:220)
at org.springframework.core.convert.support.GenericConversionService.canConvert(GenericConversionService.java:135)
at org.springframework.validation.AbstractPropertyBindingResult.formatFieldValue(AbstractPropertyBindingResult.java:123)
at org.springframework.validation.AbstractBindingResult.getFieldValue(AbstractBindingResult.java:228)
at org.springframework.web.servlet.support.BindStatus.<init>(BindStatus.java:120)
at org.springframework.web.servlet.tags.form.AbstractDataBoundFormElementTag.getBindStatus(AbstractDataBoundFormElementTag.java:174)
at org.springframework.web.servlet.tags.form.AbstractDataBoundFormElementTag.getPropertyPath(AbstractDataBoundFormElementTag.java:194)
at org.springframework.web.servlet.tags.form.LabelTag.autogenerateFor(LabelTag.java:129)
at org.springframework.web.servlet.tags.form.LabelTag.resolveFor(LabelTag.java:119)
at org.springframework.web.servlet.tags.form.LabelTag.writeTagContent(LabelTag.java:89)
at org.springframework.web.servlet.tags.form.AbstractFormTag.doStartTagInternal(AbstractFormTag.java:102)
at org.springframework.web.servlet.tags.RequestContextAwareTag.doStartTag(RequestContextAwareTag.java:79)
at org.apache.jsp.WEB_002dINF.jsp.navigator_jsp._jspx_meth_sf_005flabel_005f0(navigator_jsp.java:732)
at org.apache.jsp.WEB_002dINF.jsp.navigator_jsp._jspService(navigator_jsp.java:303)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:432)
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:390)
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:334)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:72)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:70)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:206)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:108)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilter.doFilter(InvokerFilter.java:73)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:684)
at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:593)
at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:530)
at org.springframework.web.servlet.view.InternalResourceView.renderMergedOutputModel(InternalResourceView.java:229)
at org.springframework.web.servlet.view.AbstractView.render(AbstractView.java:250)
at org.springframework.web.servlet.ViewRendererServlet.renderView(ViewRendererServlet.java:114)
at org.springframework.web.servlet.ViewRendererServlet.processRequest(ViewRendererServlet.java:86)
at org.springframework.web.servlet.ViewRendererServlet.doGet(ViewRendererServlet.java:66)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:72)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:70)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:206)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:108)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilter.doFilter(InvokerFilter.java:73)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:684)
at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:593)
at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:530)
at com.liferay.portlet.PortletRequestDispatcherImpl.dispatch(PortletRequestDispatcherImpl.java:323)
at com.liferay.portlet.PortletRequestDispatcherImpl.include(PortletRequestDispatcherImpl.java:105)
at org.springframework.web.portlet.DispatcherPortlet.doRender(DispatcherPortlet.java:1137)
at org.springframework.web.portlet.DispatcherPortlet.render(DispatcherPortlet.java:1092)
at org.springframework.web.portlet.DispatcherPortlet.doRenderService(DispatcherPortlet.java:755)
at org.springframework.web.portlet.FrameworkPortlet.processRequest(FrameworkPortlet.java:522)
at org.springframework.web.portlet.FrameworkPortlet.doDispatch(FrameworkPortlet.java:470)
at javax.portlet.GenericPortlet.render(GenericPortlet.java:233)
at com.liferay.portlet.FilterChainImpl.doFilter(FilterChainImpl.java:100)
at com.liferay.portal.kernel.portlet.PortletFilterUtil.doFilter(PortletFilterUtil.java:64)
at com.liferay.portal.kernel.servlet.PortletServlet.service(PortletServlet.java:111)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:72)
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:83)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:206)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:108)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilter.doFilter(InvokerFilter.java:73)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:684)
at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:593)
at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:530)
at com.liferay.portlet.InvokerPortletImpl.invoke(InvokerPortletImpl.java:534)
at com.liferay.portlet.InvokerPortletImpl.invokeRender(InvokerPortletImpl.java:607)
at com.liferay.portlet.InvokerPortletImpl.render(InvokerPortletImpl.java:359)
at org.apache.jsp.html.portal.render_005fportlet_jsp._jspService(render_005fportlet_jsp.java:1207)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at com.liferay.portal.servlet.DirectRequestDispatcher.include(DirectRequestDispatcher.java:97)
at com.liferay.portal.servlet.PACLRequestDispatcherWrapper.doDispatch(PACLRequestDispatcherWrapper.java:90)
at com.liferay.portal.servlet.PACLRequestDispatcherWrapper.include(PACLRequestDispatcherWrapper.java:54)
at com.liferay.portal.util.PortalImpl.renderPortlet(PortalImpl.java:5158)
at com.liferay.portal.util.PortalUtil.renderPortlet(PortalUtil.java:1569)
at com.liferay.portlet.layoutconfiguration.util.RuntimePortletImpl.processPortlet(RuntimePortletImpl.java:165)
at com.liferay.portlet.layoutconfiguration.util.RuntimePortletImpl.processPortlet(RuntimePortletImpl.java:97)
...

Caused by:
<p><sf:label path="parameters[${parm.key}]"><c:out value="${parm.label}"/></sf:label>

It looks like the Spring "label" tag needs the ReflectPermission, and didn't get it to do its job.

Looking through Liferay 6.1.x code, and specifically BaseReflectChecker.hasReflect(String name, String actions), it seems that the above case is not managed.

So I added this at the end of BaseReflectChecker.hasReflect():



As Ray would write, it is a "working" albeit naive fix.

Do you think it is the right way to do ? Do I need to file a bug ?

Philippe

Hi Philippe,

Before filing a bug, please try to verify that the issue still exists on current trunk or the latest milestone as many PACL related issue is already fixed by Ray and other core engineers.

If you find it haven't fixed it yet, please open a JIRA ticket and paste the link of it to here so I can watch it. If you have your fix just submit as a contributed solution, so we could analyze it whether it follows the patterns we use for similar cases.

Cheers,
Vilmos

Hi Vilmos,

I found a similar problem with the action phase. I will check everything with the latest 6.1.x from github, and see what I can do.

Philippe

Hi again Vilmos,



In fact, I can't check :
- the latest 6.1.x source code is not available (the one in github is really outdated),
- because of LPS-35422, I can't use the latest milestone (from 6.2.0 M5) to test my app.

What should I do ?

Philippe

Philippe, I'm also just looking at that bug and it's related to the issue http://issues.liferay.com/browse/LPS-37587 and http://issues.liferay.com/browse/LPS-37483.

Well, Ray, the one I'm describing here is quite different.

It's related to the fact the <sf:label> Spring tag (and maybe others ?) in JSP page calls getDeclaredMembers() at the render phase. In return, at the action phase, the Spring web data binder, that binds the form to a Spring bean, also calls getDeclaredMembers().

At the end of the chain, the "culprit" is org.springframework.core.convert.support.IdToEntityConverter.getFinder(), that has no reflectPermission. So everything ended with a SecurityException (at least in my patched 6.1.1 ga2). I haven't checked with 6.2.0 Mx - because of the problem I described above.

What do you think about this case ?

Philippe

I haven't tested the scenario exactly yet cause. But I will be on it soon.

Hi Philippe,

As Ray already joined the discussion I think I cannot give better answers than him. So let's wait for a while whether he has time to check it as he wrote.

Cheers,
Vilmos