-
place the plugin into generate mode:
security-manager-enabled=generate
-
with no other policy rules in place, the policy for the app will behave as if PACL is enabled (performing expected checks)
-
however, rather than throwing an error on failed security checks, causing the plugin to fail, the individual checker which caused the failuer will contribute a suggested rule which resolves the failed check
-
the rules will be collected and writen (on the fly) to a properties file
-
the default write location is:
${liferay.home}/pacl-policy/${servletContextName}.policy
-
if the developer specifies the property
security-manager-generator-dir=/home/user/paclfoo
then the generated policy file will be writen to that path, e.g.:
/home/user/paclfoo/${servletContextName}.policy
-
new rules will be merged with any already existing rules originating from the liferay-plugin-package.properties of the plugin
-
once the app is completely tested, and all policy rules writen to the generated policy file the developer should copy those and merged them with the liferay-plugin-package.properties file in the originating plugin
-
revert the property
security-manager-enabled=generate
to
security-manager-enabled=true
-
submit the plugin
Last active
February 2, 2018 00:14
-
-
Save rotty3000/4494206 to your computer and use it in GitHub Desktop.
pacl policy process
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# What follows is the policy generated for the sample-service-builder-portlet | |
# | |
security-manager-expando-bridge=\ | |
com.liferay.sampleservicebuilder.model.Foo | |
security-manager-files-read=\ | |
./service-ext.properties,\ | |
/home/rotty/global-configuration.properties,\ | |
/home/rotty/service-ext.properties,\ | |
global-configuration.properties | |
security-manager-get-bean-property=\ | |
com.liferay.portal.kernel.dao.orm.EntityCacheUtil,\ | |
com.liferay.portal.kernel.dao.orm.FinderCacheUtil,\ | |
com.liferay.portal.kernel.spring.util.SpringFactoryUtil,\ | |
com.liferay.portal.kernel.util.FastDateFormatFactoryUtil,\ | |
com.liferay.portal.kernel.util.InfrastructureUtil#dataSource,\ | |
com.liferay.portal.kernel.util.InfrastructureUtil#dynamicDataSourceTargetSource,\ | |
com.liferay.portal.kernel.util.InfrastructureUtil#transactionManager,\ | |
com.liferay.portal.kernel.util.PropsUtil,\ | |
com.liferay.portal.kernel.uuid.PortalUUIDUtil,\ | |
com.liferay.portal.util.PortalUtil,\ | |
com.liferay.portlet.expando.util.ExpandoBridgeFactoryUtil | |
security-manager-services[portal]=\ | |
com.liferay.counter.service.CounterLocalService#increment,\ | |
com.liferay.portal.service.GroupLocalService#getGroup,\ | |
com.liferay.portal.service.LayoutLocalService#getLayout,\ | |
com.liferay.portal.service.LayoutSetLocalService#getLayoutSet,\ | |
com.liferay.portal.service.ResourceActionLocalService#getResourceAction,\ | |
com.liferay.portal.service.ResourceBlockLocalService#isSupported,\ | |
com.liferay.portal.service.ResourceLocalService#addResources,\ | |
com.liferay.portal.service.ResourcePermissionLocalService#setOwnerResourcePermissions,\ | |
com.liferay.portal.service.ResourcePermissionLocalService#setResourcePermissions,\ | |
com.liferay.portal.service.RoleLocalService#getDefaultGroupRole,\ | |
com.liferay.portal.service.UserLocalService#getUserById,\ | |
com.liferay.portal.service.persistence.UserPersistence#findByPrimaryKey,\ | |
com.liferay.portlet.asset.service.AssetEntryLocalService#deleteEntry,\ | |
com.liferay.portlet.asset.service.AssetEntryLocalService#updateEntry,\ | |
com.liferay.portlet.asset.service.AssetLinkLocalService#deleteLinks,\ | |
com.liferay.portlet.asset.service.AssetTagLocalService#addTag,\ | |
com.liferay.portlet.asset.service.AssetTagLocalService#getTag,\ | |
com.liferay.portlet.asset.service.AssetTagLocalService#incrementAssetCount,\ | |
com.liferay.portlet.asset.service.AssetTagStatsLocalService#addTagStats,\ | |
com.liferay.portlet.asset.service.AssetTagStatsLocalService#updateTagStats,\ | |
com.liferay.portlet.social.service.SocialActivityCounterLocalService#deleteActivityCounters,\ | |
com.liferay.portlet.social.service.SocialActivityLocalService#deleteActivities,\ | |
com.liferay.portlet.social.service.SocialActivitySettingLocalService#deleteActivitySetting | |
security-manager-sql-tables-insert=\ | |
AssetEntries_AssetTags,\ | |
AssetTag,\ | |
AssetTagStats,\ | |
ResourcePermission | |
security-manager-sql-tables-select=\ | |
AssetEntries_AssetTags,\ | |
AssetEntry,\ | |
AssetTag,\ | |
AssetTagStats,\ | |
ResourcePermission,\ | |
SSB_Foo | |
security-manager-sql-tables-update=\ | |
AssetEntry,\ | |
AssetTag,\ | |
AssetTagStats,\ | |
SSB_Foo |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment