Hi all,

We realize that working with PACL/Security Manager takes some time and experience to build into your apps, so we're going to put together a team to help in answering some of the questions and issues that all of you may be having. We hope to have this ready soon - I'll provide updates as I get them.

Thanks everyone for your comments and feedback.

Hi Brian,

We are really looking forward to help from this team. We have several portlets ready which we would love to publish!

Thanks,
Maarten

Hi all,

As Brian mentions, we have put a team together to help Marketplace Developers work through the PACL issues you are facing. Some issues are configuration issues, others are due to PACL bugs. The triage team can help you figure out whether you simply have missing config, or have found a bug in PACL. I'm going to be on this team, as your community liaison (also known as Chief Pestering Officer) We'll go about it like this:

1. Develop your app following the official developer documentation (and Security Manager disabled)
2. After you're satisfied that your app works with the Security Manager disabled, turn it on
3. Go through the test->edit->repeat cycle to make a best effort at identifying and including all of the PACL resource declarations necessary for your app, using the official Security Manager docs.
4. If you believe you've done everything right, and you're still having issues related to PACL that you cannot solve, post your issue in this forum category (the one where this message is). Our triage team will engage with you and see attempt to determine if there really is a bug, or just missing configuration. You could also post an issue at issues.liferay.com but the triage team will be watching here and it is my hope that most issues are configuration issues and not really bugs in Liferay.

As mentioned, we have seen that most PACL issues fall into two main categories:

1. Missing PACL configuration. PACL is very granular, and requires that you declare all of the protected resources that your app might ever require during its execution. The documentation suggests you first develop your app with PACL disabled, then when you're all done, enable it, and exercise your app to discover which protected resources it requires. This is pretty tedious as of now, requiring multiple test->edit config->repeat cycles (and developers are investigating how to improve the developer experience going forward).

2. PACL Bugs. There are few already. Working with the triage team via this forum is the best way to discover whether you are hitting a bug. If you indeed discover a bug, the triage team will help you to file the issue at issues.liferay.com and get it fixed as quickly as possible.

So please give it a go, and post issues here, and we'll hopefully be able to resolve them as quickly as possible.

When those PACL be fixed, which requires a new Liferay relase, I'll be back to the Marketplace. It has no sense to fight with a poorly documented security environment that doesn't event work.

Can you help me out to solve this problem ?

Thank You !!!

Speaking on behave of the community, I have to say it is very disappointing to see that there haven't been any update to this thread from liferay.com since last November.

http://www.liferay.com/community/forums/-/message_boards/message/18999112

Yes, it's quite sad.

Honestly, It was a terrible mistake on my part how PACL unfolded. I regret a great many things about it, mostly how it has adversly affected our community of developers.

With that I offer my sincere appologies and I will try to work from this point to attempt to resolve the issues.

1) I think what I will do is first to document and otherwise simply help people to fix or be aware of how certain things work. I hope that will be a first good step.
2) I have it in mind to create a plugin (I'm just now starting for forumate ideas on how to do this) which will run along with the developer environment which will do it's best to generate a valid security settings profile for the deployed plugins, based on execution of the plugin. a) it will replace the security checkers/manager (not sure yet) with one which tracks rather than checks. b) as the developer uses their plugin, the security profile will be automatically created.

Hey All,

I wanted to let everyone know that help is really coming in the form of a tool baked into the portal.

I'm dubing it temporarily Liferay's PACL Policy Generator (a.k.a. PPG)

You can watch it's progress via this JIRA issue: http://issues.liferay.com/browse/LPS-32200

Also, you can take a quick look at the workflow outlined in that ticket but also here: https://gist.github.com/4494206

You'll see the result of testing this against the sample-service-builder-portlet and generated in less than a 2 minutes running a QA cycle through that app. A complete and functional policy was the result which was litteraly copy and pasted (as it's already nicely formatted with key and value sorting).

We're hoping that this will quickly be available to everyone in the next GA(3) release(s) (which you will note that James officially announced quietly hints at here: http://www.liferay.com/community/forums/-/message_boards/view_message/17329080#_19_message_19073288).

I'm hoping that this significantly simplifies the process of getting your plugins into the marketplace (at least making the PACL step much simpler).

Of course, feedback is always welcome!

Great job Ray, it will be excelent tool for all Marketplace developers.

Thanks very much Ray.

This was the only missing piece!

Thank you very much Ray! Really appreciate you taking the extra step to get it out so quickly.

¿Is this the famous PACL problem?

Caused by: org.springframework.beans.factory.BeanDefinitionStoreException: Failed to read candidate component class: file [C:\B2B\Arquitectura\ComponentesMarket
Place\ImageViewer\LiferayWorkspace\bundle\tomcat-7.0.27\temp\3-2012-01-14-CommunityRelease-6.1.20.1\WEB-INF\classes\com\b2b2000\imageviewer\web\controller\EditC
ontroller.class]; nested exception is java.lang.SecurityException: Attempted to access declared members
at org.springframework.context.annotation.ClassPathScanningCandidateComponentProvider.findCandidateComponents(ClassPathScanningCandidateComponentProvide
r.java:237)
at org.springframework.context.annotation.ClassPathBeanDefinitionScanner.doScan(ClassPathBeanDefinitionScanner.java:204)
at org.springframework.context.annotation.ComponentScanBeanDefinitionParser.parse(ComponentScanBeanDefinitionParser.java:84)
at org.springframework.beans.factory.xml.NamespaceHandlerSupport.parse(NamespaceHandlerSupport.java:73)
at org.springframework.beans.factory.xml.BeanDefinitionParserDelegate.parseCustomElement(BeanDefinitionParserDelegate.java:1338)
at org.springframework.beans.factory.xml.BeanDefinitionParserDelegate.parseCustomElement(BeanDefinitionParserDelegate.java:1328)
at org.springframework.beans.factory.xml.DefaultBeanDefinitionDocumentReader.parseBeanDefinitions(DefaultBeanDefinitionDocumentReader.java:135)
at org.springframework.beans.factory.xml.DefaultBeanDefinitionDocumentReader.registerBeanDefinitions(DefaultBeanDefinitionDocumentReader.java:93)
at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.registerBeanDefinitions(XmlBeanDefinitionReader.java:493)
at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(XmlBeanDefinitionReader.java:390)
at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:334)
at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:302)
at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:143)
at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:178)
at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:149)
at org.springframework.web.portlet.context.XmlPortletApplicationContext.loadBeanDefinitions(XmlPortletApplicationContext.java:124)
at org.springframework.web.portlet.context.XmlPortletApplicationContext.loadBeanDefinitions(XmlPortletApplicationContext.java:92)
at org.springframework.context.support.AbstractRefreshableApplicationContext.refreshBeanFactory(AbstractRefreshableApplicationContext.java:130)
at org.springframework.context.support.AbstractApplicationContext.obtainFreshBeanFactory(AbstractApplicationContext.java:467)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:397)
at org.springframework.web.portlet.FrameworkPortlet.createPortletApplicationContext(FrameworkPortlet.java:356)
at org.springframework.web.portlet.FrameworkPortlet.initPortletApplicationContext(FrameworkPortlet.java:294)
at org.springframework.web.portlet.FrameworkPortlet.initPortletBean(FrameworkPortlet.java:268)
at org.springframework.web.portlet.GenericPortletBean.init(GenericPortletBean.java:116)
at javax.portlet.GenericPortlet.init(GenericPortlet.java:107)
at com.liferay.portlet.InvokerPortletImpl.init(InvokerPortletImpl.java:256)
at com.liferay.portlet.PortletInstanceFactoryImpl.init(PortletInstanceFactoryImpl.java:221)
at com.liferay.portlet.PortletInstanceFactoryImpl.create(PortletInstanceFactoryImpl.java:140)
at com.liferay.portlet.PortletInstanceFactoryUtil.create(PortletInstanceFactoryUtil.java:41)
at com.liferay.portal.deploy.hot.PortletHotDeployListener.initPortletApp(PortletHotDeployListener.java:598)
at com.liferay.portal.deploy.hot.PortletHotDeployListener.doInvokeDeploy(PortletHotDeployListener.java:328)
at com.liferay.portal.deploy.hot.PortletHotDeployListener.invokeDeploy(PortletHotDeployListener.java:120)
... 25 more
Caused by: java.lang.SecurityException: Attempted to access declared members
at com.liferay.portal.security.pacl.checker.BaseChecker.throwSecurityException(BaseChecker.java:259)
at com.liferay.portal.security.pacl.checker.RuntimeChecker.checkPermission(RuntimeChecker.java:71)
at com.liferay.portal.security.pacl.ActivePACLPolicy.checkPermission(ActivePACLPolicy.java:55)
at com.liferay.portal.security.lang.PortalSecurityManager.checkPermission(PortalSecurityManager.java:103)
at com.liferay.portal.security.lang.PortalSecurityManager.checkPermission(PortalSecurityManager.java:74)
at java.lang.SecurityManager.checkMemberAccess(SecurityManager.java:1662)
at java.lang.Class.checkMemberAccess(Class.java:2157)
at java.lang.Class.getDeclaredMethods(Class.java:1790)
at sun.reflect.annotation.AnnotationType$1.run(AnnotationType.java:86)
at sun.reflect.annotation.AnnotationType$1.run(AnnotationType.java:83)
at java.security.AccessController.doPrivileged(Native Method)
at sun.reflect.annotation.AnnotationType.<init>(AnnotationType.java:82)
at sun.reflect.annotation.AnnotationType.getInstance(AnnotationType.java:66)
at sun.reflect.annotation.AnnotationParser.parseAnnotation(AnnotationParser.java:202)
at sun.reflect.annotation.AnnotationParser.parseAnnotations2(AnnotationParser.java:69)
at sun.reflect.annotation.AnnotationParser.parseAnnotations(AnnotationParser.java:52)
at java.lang.Class.initAnnotationsIfNecessary(Class.java:3070)
at java.lang.Class.getAnnotations(Class.java:3050)
at org.springframework.core.type.classreading.AnnotationAttributesReadingVisitor.visitEnd(AnnotationAttributesReadingVisitor.java:131)
at org.springframework.asm.ClassReader.a(Unknown Source)
at org.springframework.asm.ClassReader.accept(Unknown Source)
at org.springframework.asm.ClassReader.accept(Unknown Source)
at org.springframework.core.type.classreading.SimpleMetadataReader.<init>(SimpleMetadataReader.java:54)
at org.springframework.core.type.classreading.SimpleMetadataReaderFactory.getMetadataReader(SimpleMetadataReaderFactory.java:80)
at org.springframework.core.type.classreading.CachingMetadataReaderFactory.getMetadataReader(CachingMetadataReaderFactory.java:101)
at org.springframework.context.annotation.ClassPathScanningCandidateComponentProvider.findCandidateComponents(ClassPathScanningCandidateComponentProvide
r.java:213)
... 56 more

Yup, that's the one we're working on.

Reflection is pretty broken.

We have 3 engineers working on various aspects of the issue as we speak and we're not going to let GA3 come out without fixing this.

Probably we'll wait to be solved.
Not sure we can find a workaround.

Thanks Ray

Thank you very much Ray! Really appreciate you taking the extra step to get it out so quickly. emoticon