public
Last active

pacl policy process

  • Download Gist
description.md
Markdown
  1. place the plugin into generate mode:

    security-manager-enabled=generate
    
  2. with no other policy rules in place, the policy for the app will behave as if PACL is enabled (performing expected checks)

  3. however, rather than throwing an error on failed security checks, causing the plugin to fail, the individual checker which caused the failuer will contribute a suggested rule which resolves the failed check
  4. the rules will be collected and writen (on the fly) to a properties file
  5. the default write location is:

    ${liferay.home}/pacl-policy/${servletContextName}.policy
    
  6. if the developer specifies the property

    security-manager-generator-dir=/home/user/paclfoo
    

    then the generated policy file will be writen to that path, e.g.:

    /home/user/paclfoo/${servletContextName}.policy
    
  7. new rules will be merged with any already existing rules originating from the liferay-plugin-package.properties of the plugin

  8. once the app is completely tested, and all policy rules writen to the generated policy file the developer should copy those and merged them with the liferay-plugin-package.properties file in the originating plugin
  9. revert the property

    security-manager-enabled=generate
    

    to

    security-manager-enabled=true
    
  10. submit the plugin

sample-service-builder-portlet.policy
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70
#
# What follows is the policy generated for the sample-service-builder-portlet
#
 
security-manager-expando-bridge=\
com.liferay.sampleservicebuilder.model.Foo
 
security-manager-files-read=\
./service-ext.properties,\
/home/rotty/global-configuration.properties,\
/home/rotty/service-ext.properties,\
global-configuration.properties
 
security-manager-get-bean-property=\
com.liferay.portal.kernel.dao.orm.EntityCacheUtil,\
com.liferay.portal.kernel.dao.orm.FinderCacheUtil,\
com.liferay.portal.kernel.spring.util.SpringFactoryUtil,\
com.liferay.portal.kernel.util.FastDateFormatFactoryUtil,\
com.liferay.portal.kernel.util.InfrastructureUtil#dataSource,\
com.liferay.portal.kernel.util.InfrastructureUtil#dynamicDataSourceTargetSource,\
com.liferay.portal.kernel.util.InfrastructureUtil#transactionManager,\
com.liferay.portal.kernel.util.PropsUtil,\
com.liferay.portal.kernel.uuid.PortalUUIDUtil,\
com.liferay.portal.util.PortalUtil,\
com.liferay.portlet.expando.util.ExpandoBridgeFactoryUtil
 
security-manager-services[portal]=\
com.liferay.counter.service.CounterLocalService#increment,\
com.liferay.portal.service.GroupLocalService#getGroup,\
com.liferay.portal.service.LayoutLocalService#getLayout,\
com.liferay.portal.service.LayoutSetLocalService#getLayoutSet,\
com.liferay.portal.service.ResourceActionLocalService#getResourceAction,\
com.liferay.portal.service.ResourceBlockLocalService#isSupported,\
com.liferay.portal.service.ResourceLocalService#addResources,\
com.liferay.portal.service.ResourcePermissionLocalService#setOwnerResourcePermissions,\
com.liferay.portal.service.ResourcePermissionLocalService#setResourcePermissions,\
com.liferay.portal.service.RoleLocalService#getDefaultGroupRole,\
com.liferay.portal.service.UserLocalService#getUserById,\
com.liferay.portal.service.persistence.UserPersistence#findByPrimaryKey,\
com.liferay.portlet.asset.service.AssetEntryLocalService#deleteEntry,\
com.liferay.portlet.asset.service.AssetEntryLocalService#updateEntry,\
com.liferay.portlet.asset.service.AssetLinkLocalService#deleteLinks,\
com.liferay.portlet.asset.service.AssetTagLocalService#addTag,\
com.liferay.portlet.asset.service.AssetTagLocalService#getTag,\
com.liferay.portlet.asset.service.AssetTagLocalService#incrementAssetCount,\
com.liferay.portlet.asset.service.AssetTagStatsLocalService#addTagStats,\
com.liferay.portlet.asset.service.AssetTagStatsLocalService#updateTagStats,\
com.liferay.portlet.social.service.SocialActivityCounterLocalService#deleteActivityCounters,\
com.liferay.portlet.social.service.SocialActivityLocalService#deleteActivities,\
com.liferay.portlet.social.service.SocialActivitySettingLocalService#deleteActivitySetting
 
security-manager-sql-tables-insert=\
AssetEntries_AssetTags,\
AssetTag,\
AssetTagStats,\
ResourcePermission
 
security-manager-sql-tables-select=\
AssetEntries_AssetTags,\
AssetEntry,\
AssetTag,\
AssetTagStats,\
ResourcePermission,\
SSB_Foo
 
security-manager-sql-tables-update=\
AssetEntry,\
AssetTag,\
AssetTagStats,\
SSB_Foo

Please sign in to comment on this gist.

Something went wrong with that request. Please try again.