Hello!
I'm also trying to get to work our portlet with Alexey Kakunin. And here mine questions about this problems:
RuntimeChecker needs configuration for environment variables.Very strange conditition for allowing access to environment variables in com.liferay.portal.security.pacl.checker.RuntimeChecker.
1 protected boolean hasGetEnv(String name) {
2 Class<?> callerClass7 = Reflection.getCallerClass(7);
3
4 if (callerClass7 == AbstractApplicationContext.class) {
5 logGetEnv(callerClass7, 7, name);
6
7 return true;
8 }
9 ...
For example we using svn-kit library which requires access to environment variable. But in liferay, we cannot configure it for specific name of variable or all variables.
RuntimeChecker security check hasWriteFileDescriptorIn liferay it allows write file descriptor only from java.lang.ProcessImpl, but in our code file downloaded from network, and code is checking permission to write file descriptor from java.net.SocketOutputStream.
1 protected boolean hasWriteFileDescriptor() {
2 if (JavaDetector.isJDK7()) {
3 Class<?> callerClass9 = Reflection.getCallerClass(9);
4 String callerClassName9 = callerClass9.getName();
5 if (callerClassName9.startsWith(_CLASS_NAME_PROCESS_IMPL) &&
6 CheckerUtil.isAccessControllerDoPrivileged(10)) {
7 logWriteFileDescriptor(callerClass9, 9);
8 return true;
9 }
10 }
11 ...
RuntimeChecker not supported permission (java.lang.RuntimePermission loadLibrary.jnidispatch)svn-kit using jna-3.2.3.jar which are trying to load native library on runtime. It is very specific usage with portlet. But maybe it would be nice, if liferay provide some api to configure some additional custom permissions like this.
This problems for us is blocking.
And also want to propose one enhancement:
FileChecker needs separate constants for executables from system variable PATH, not a <<ALL FILES>>.For example: java trying to run cmd.exe or sh, but FileChecker replaces this files to constant <<ALL FILES>> because it's not absolute path.
Under liferay I meant Liferay CE 6.1 GA2.