Combination View Flat View Tree View
toggle
Philippe Tran
PACL, ReflectPermission and Spring form tag on Liferay 6.1.x
July 11, 2013 12:17 PM
Answer

Philippe Tran

Rank: Youngling

Posts: 0

Join Date: January 22, 2009

Recent Posts

Hi everyone,

I have a Spring form displaying a dynamic list of <select>, just like :

 1...
 2<%@ taglib prefix="sf" uri="http://www.springframework.org/tags/form" %>
 3<sf:form method="post" action="${navigationActionURL}" commandName="navCommand">
 4  <c:forEach var="parm" items="${parameters}" varStatus="parmStatus">
 5    <p><sf:label path="parameters[${parm.key}]"><c:out value="${parm.label}"/></sf:label>
 6    <sf:select path="parameters[${parm.key}]">
 7      <sf:option value="" label="${parm.option}"/>
 8      <c:if test="${parm.options != null && fn:length(parm.options) > 0}">
 9        <sf:options items="${parm.options}" itemValue="valueEncoded" itemLabel="label"/>
10      </c:if>
11    </sf:select></p>
12  </c:forEach>
13</sf:form>


Everything works OK.

With security-manager enabled, I get a java.lang.SecurityException: Attempted to access declared members,
with this stack trace:

at com.liferay.portal.security.pacl.checker.BaseChecker.throwSecurityException(BaseChecker.java:262)
at com.liferay.portal.security.pacl.checker.RuntimeChecker.checkPermission(RuntimeChecker.java:73)
at com.liferay.portal.security.pacl.ActivePACLPolicy.checkPermission(ActivePACLPolicy.java:55)
at com.liferay.portal.security.lang.PortalSecurityManager.checkPermission(PortalSecurityManager.java:103)
at com.liferay.portal.security.lang.PortalSecurityManager.checkPermission(PortalSecurityManager.java:74)
at java.lang.SecurityManager.checkMemberAccess(SecurityManager.java:1662)
at java.lang.Class.checkMemberAccess(Class.java:2159)
at java.lang.Class.getDeclaredMethods(Class.java:1792)

at org.springframework.core.convert.support.IdToEntityConverter.getFinder(IdToEntityConverter.java:69)
at org.springframework.core.convert.support.IdToEntityConverter.matches(IdToEntityConverter.java:52)
at org.springframework.core.convert.support.GenericConversionService$MatchableConverters.matchConverter(GenericConversionService.java:500)
at org.springframework.core.convert.support.GenericConversionService.matchConverter(GenericConversionService.java:411)
at org.springframework.core.convert.support.GenericConversionService.getMatchingConverterForTarget(GenericConversionService.java:371)
at org.springframework.core.convert.support.GenericConversionService.findConverterForClassPair(GenericConversionService.java:301)
at org.springframework.core.convert.support.GenericConversionService.getConverter(GenericConversionService.java:220)
at org.springframework.core.convert.support.GenericConversionService.canConvert(GenericConversionService.java:135)
at org.springframework.validation.AbstractPropertyBindingResult.formatFieldValue(AbstractPropertyBindingResult.java:123)
at org.springframework.validation.AbstractBindingResult.getFieldValue(AbstractBindingResult.java:228)
at org.springframework.web.servlet.support.BindStatus.<init>(BindStatus.java:120)
at org.springframework.web.servlet.tags.form.AbstractDataBoundFormElementTag.getBindStatus(AbstractDataBoundFormElementTag.java:174)
at org.springframework.web.servlet.tags.form.AbstractDataBoundFormElementTag.getPropertyPath(AbstractDataBoundFormElementTag.java:194)
at org.springframework.web.servlet.tags.form.LabelTag.autogenerateFor(LabelTag.java:129)
at org.springframework.web.servlet.tags.form.LabelTag.resolveFor(LabelTag.java:119)
at org.springframework.web.servlet.tags.form.LabelTag.writeTagContent(LabelTag.java:89)
at org.springframework.web.servlet.tags.form.AbstractFormTag.doStartTagInternal(AbstractFormTag.java:102)
at org.springframework.web.servlet.tags.RequestContextAwareTag.doStartTag(RequestContextAwareTag.java:79)
at org.apache.jsp.WEB_002dINF.jsp.navigator_jsp._jspx_meth_sf_005flabel_005f0(navigator_jsp.java:732)
at org.apache.jsp.WEB_002dINF.jsp.navigator_jsp._jspService(navigator_jsp.java:303)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:432)
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:390)
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:334)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:72)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:70)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:206)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:108)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilter.doFilter(InvokerFilter.java:73)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:684)
at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:593)
at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:530)
at org.springframework.web.servlet.view.InternalResourceView.renderMergedOutputModel(InternalResourceView.java:229)
at org.springframework.web.servlet.view.AbstractView.render(AbstractView.java:250)
at org.springframework.web.servlet.ViewRendererServlet.renderView(ViewRendererServlet.java:114)
at org.springframework.web.servlet.ViewRendererServlet.processRequest(ViewRendererServlet.java:86)
at org.springframework.web.servlet.ViewRendererServlet.doGet(ViewRendererServlet.java:66)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:72)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:70)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:206)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:108)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilter.doFilter(InvokerFilter.java:73)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:684)
at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:593)
at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:530)
at com.liferay.portlet.PortletRequestDispatcherImpl.dispatch(PortletRequestDispatcherImpl.java:323)
at com.liferay.portlet.PortletRequestDispatcherImpl.include(PortletRequestDispatcherImpl.java:105)
at org.springframework.web.portlet.DispatcherPortlet.doRender(DispatcherPortlet.java:1137)
at org.springframework.web.portlet.DispatcherPortlet.render(DispatcherPortlet.java:1092)
at org.springframework.web.portlet.DispatcherPortlet.doRenderService(DispatcherPortlet.java:755)
at org.springframework.web.portlet.FrameworkPortlet.processRequest(FrameworkPortlet.java:522)
at org.springframework.web.portlet.FrameworkPortlet.doDispatch(FrameworkPortlet.java:470)
at javax.portlet.GenericPortlet.render(GenericPortlet.java:233)
at com.liferay.portlet.FilterChainImpl.doFilter(FilterChainImpl.java:100)
at com.liferay.portal.kernel.portlet.PortletFilterUtil.doFilter(PortletFilterUtil.java:64)
at com.liferay.portal.kernel.servlet.PortletServlet.service(PortletServlet.java:111)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:72)
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:83)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:206)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:108)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilter.doFilter(InvokerFilter.java:73)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:684)
at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:593)
at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:530)
at com.liferay.portlet.InvokerPortletImpl.invoke(InvokerPortletImpl.java:534)
at com.liferay.portlet.InvokerPortletImpl.invokeRender(InvokerPortletImpl.java:607)
at com.liferay.portlet.InvokerPortletImpl.render(InvokerPortletImpl.java:359)
at org.apache.jsp.html.portal.render_005fportlet_jsp._jspService(render_005fportlet_jsp.java:1207)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at com.liferay.portal.servlet.DirectRequestDispatcher.include(DirectRequestDispatcher.java:97)
at com.liferay.portal.servlet.PACLRequestDispatcherWrapper.doDispatch(PACLRequestDispatcherWrapper.java:90)
at com.liferay.portal.servlet.PACLRequestDispatcherWrapper.include(PACLRequestDispatcherWrapper.java:54)
at com.liferay.portal.util.PortalImpl.renderPortlet(PortalImpl.java:5158)
at com.liferay.portal.util.PortalUtil.renderPortlet(PortalUtil.java:1569)
at com.liferay.portlet.layoutconfiguration.util.RuntimePortletImpl.processPortlet(RuntimePortletImpl.java:165)
at com.liferay.portlet.layoutconfiguration.util.RuntimePortletImpl.processPortlet(RuntimePortletImpl.java:97)
...


Caused by:
<p><sf:label path="parameters[${parm.key}]"><c:out value="${parm.label}"/></sf:label>

It looks like the Spring "label" tag needs the ReflectPermission, and didn't get it to do its job.

Looking through Liferay 6.1.x code, and specifically BaseReflectChecker.hasReflect(String name, String actions), it seems that the above case is not managed.

So I added this at the end of BaseReflectChecker.hasReflect():

 1for (int i = 9; i <= 30; i++) {
 2    Class callerClass = Reflection.getCallerClass(i);
 3    if (callerClass == org.apache.jasper.runtime.HttpJspBase.class) // && ServerDetector.isTomcat() ???
 4    {
 5        //System.out.println("ReflectPermission allowed to '" + name + "' for '" + actions + "' (at level " + i + ")");
 6        logReflect(callerClass, i);
 7        return true;
 8    }
 9}


As Ray would write, it is a "working" albeit naive fix.

Do you think it is the right way to do ? Do I need to file a bug ?

Philippe
Vilmos Papp
RE: PACL, ReflectPermission and Spring form tag on Liferay 6.1.x
July 11, 2013 1:47 PM
Answer

Vilmos Papp

Rank: Youngling

Posts: 0

Join Date: October 21, 2010

Recent Posts

Hi Philippe,

Before filing a bug, please try to verify that the issue still exists on current trunk or the latest milestone as many PACL related issue is already fixed by Ray and other core engineers.

If you find it haven't fixed it yet, please open a JIRA ticket and paste the link of it to here so I can watch it. If you have your fix just submit as a contributed solution, so we could analyze it whether it follows the patterns we use for similar cases.

Cheers,
Vilmos
Philippe Tran
RE: PACL, ReflectPermission and Spring form tag on Liferay 6.1.x
July 11, 2013 3:12 PM
Answer

Philippe Tran

Rank: Youngling

Posts: 0

Join Date: January 22, 2009

Recent Posts

Hi Vilmos,

I found a similar problem with the action phase. I will check everything with the latest 6.1.x from github, and see what I can do.

Philippe
Philippe Tran
RE: PACL, ReflectPermission and Spring form tag on Liferay 6.1.x
July 11, 2013 4:07 PM
Answer

Philippe Tran

Rank: Youngling

Posts: 0

Join Date: January 22, 2009

Recent Posts

Hi again Vilmos,

Vilmos Papp:
Before filing a bug, please try to verify that the issue still exists on current trunk or the latest milestone as many PACL related issue is already fixed by Ray and other core engineers.


In fact, I can't check :
- the latest 6.1.x source code is not available (the one in github is really outdated),
- because of LPS-35422, I can't use the latest milestone (from 6.2.0 M5) to test my app.

What should I do ?

Philippe
Raymond Augé
RE: PACL, ReflectPermission and Spring form tag on Liferay 6.1.x
July 11, 2013 4:11 PM
Answer

Raymond Augé

Rank: Youngling

Posts: 0

Join Date: February 7, 2005

Recent Posts

Philippe, I'm also just looking at that bug and it's related to the issue http://issues.liferay.com/browse/LPS-37587 and http://issues.liferay.com/browse/LPS-37483.
Philippe Tran
RE: PACL, ReflectPermission and Spring form tag on Liferay 6.1.x
July 11, 2013 4:22 PM
Answer

Philippe Tran

Rank: Youngling

Posts: 0

Join Date: January 22, 2009

Recent Posts

Well, Ray, the one I'm describing here is quite different.

It's related to the fact the <sf:label> Spring tag (and maybe others ?) in JSP page calls getDeclaredMembers() at the render phase. In return, at the action phase, the Spring web data binder, that binds the form to a Spring bean, also calls getDeclaredMembers().

At the end of the chain, the "culprit" is org.springframework.core.convert.support.IdToEntityConverter.getFinder(), that has no reflectPermission. So everything ended with a SecurityException (at least in my patched 6.1.1 ga2). I haven't checked with 6.2.0 Mx - because of the problem I described above.

What do you think about this case ?

Philippe
Raymond Augé
RE: PACL, ReflectPermission and Spring form tag on Liferay 6.1.x
July 11, 2013 4:26 PM
Answer

Raymond Augé

Rank: Youngling

Posts: 0

Join Date: February 7, 2005

Recent Posts

I haven't tested the scenario exactly yet cause. But I will be on it soon.
Vilmos Papp
RE: PACL, ReflectPermission and Spring form tag on Liferay 6.1.x
July 12, 2013 5:43 AM
Answer

Vilmos Papp

Rank: Youngling

Posts: 0

Join Date: October 21, 2010

Recent Posts

Hi Philippe,

As Ray already joined the discussion I think I cannot give better answers than him. So let's wait for a while whether he has time to check it as he wrote.

Cheers,
Vilmos

Forums

To access the Developer Forum, please login to your Liferay.com account if you are already a registered developer or register to become a developer.