フォーラム

ホーム » 1. Marketplace App Development

構造的に表示 平面上に表示 ツリー上に表示
toggle
Vitaly Lyapin
Issues with PACL
2013/01/10 23:21
答え

Vitaly Lyapin

ランク: New Member

投稿: 4

参加年月日: 2012/11/01

最近の投稿

Hello!

Seems that Liferay PACL security rules doesn't support some JDBC libraries like orbroker (http://code.google.com/p/orbroker/) and blocks connections to data source. And this cannot be fixed only with PACL settings liferay-plugin-package.property file.
This is blocking issue for us, because we cannot post application into Marketplace with security off.

In our project we got two types of issues:
1. "Attempt to reflect", which is caused by ReflectChecker. This checker doesn't have rules for java.io.ObjectStreamClass which is used by postgres jdbc driver so we got an exception (only few classes are allowed to reflect in Liferay sources).
This appear in Liferay CE 6.1.1+ and in Liferay EE 6.1.20

2. In Liferay CE (but not in EE) we can fix previous issue with adding "security-manager-sockets-connect" with address of our postgres server (no ideas how this affects reflect checker), but this leads to another two problems:
- for production version we must fill "security-manager-sockets-connect" with list of all addresses we want to connect, but this is impossible, because we cannot predict all addresses of DB servers which users can use
- even if we add this addresses, we got another exception with RuntimeChecker: in Liferay sources it allows read file descriptor only from java.lang.ProcessImpl, but in our code we connect to DB via network, and code fail on checking read file descriptor permission from java.net.SocketInputStream.

It will be great if PACL will be more flexible without a lot of hardcoded restrictions.
Ray Augé
RE: Issues with PACL
2013/01/15 12:47
答え

Ray Augé

LIFERAY STAFF

ランク: Liferay Legend

投稿: 1195

参加年月日: 2005/02/07

最近の投稿

We've fixed the socket naming issue with this:

http://issues.liferay.com/browse/LPS-32235

This lets you define the full syntax for SocketPermissions defined here (including wildcards):

http://docs.oracle.com/javase/6/docs/api/java/net/SocketPermission.html

i.e. *:* works to mean any host at any port.
Ray Augé
RE: Issues with PACL
2013/01/15 12:49
答え

Ray Augé

LIFERAY STAFF

ランク: Liferay Legend

投稿: 1195

参加年月日: 2005/02/07

最近の投稿

Regarding the FileDescriptor issue. Can you file a ticket for that specifically with perhaps a minimal test case? It would be it easier to get to it fast.
Ray Augé
RE: Issues with PACL
2013/01/15 13:06
答え

Ray Augé

LIFERAY STAFF

ランク: Liferay Legend

投稿: 1195

参加年月日: 2005/02/07

最近の投稿

Also, there is no such thing I can find as java.net.SocketInputStream in Java6 or Java7. Can you clarify or identify the correct class?
Vitaly Lyapin
RE: Issues with PACL
2013/01/17 3:59
答え

Vitaly Lyapin

ランク: New Member

投稿: 4

参加年月日: 2012/11/01

最近の投稿

I create task here http://issues.liferay.com/browse/LPS-32386
Sample project and full stack trace included.