Last active

Embed URL

HTTPS clone URL

SSH clone URL

You can clone with HTTPS or SSH.

Download Gist

pacl policy process

View description.md
  1. place the plugin into generate mode:

    security-manager-enabled=generate
    
  2. with no other policy rules in place, the policy for the app will behave as if PACL is enabled (performing expected checks)

  3. however, rather than throwing an error on failed security checks, causing the plugin to fail, the individual checker which caused the failuer will contribute a suggested rule which resolves the failed check
  4. the rules will be collected and writen (on the fly) to a properties file
  5. the default write location is:

    ${liferay.home}/pacl-policy/${servletContextName}.policy
    
  6. if the developer specifies the property

    security-manager-generator-dir=/home/user/paclfoo
    

    then the generated policy file will be writen to that path, e.g.:

    /home/user/paclfoo/${servletContextName}.policy
    
  7. new rules will be merged with any already existing rules originating from the liferay-plugin-package.properties of the plugin

  8. once the app is completely tested, and all policy rules writen to the generated policy file the developer should copy those and merged them with the liferay-plugin-package.properties file in the originating plugin
  9. revert the property

    security-manager-enabled=generate
    

    to

    security-manager-enabled=true
    
  10. submit the plugin

View description.md
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70
#
# What follows is the policy generated for the sample-service-builder-portlet
#
 
security-manager-expando-bridge=\
com.liferay.sampleservicebuilder.model.Foo
 
security-manager-files-read=\
./service-ext.properties,\
/home/rotty/global-configuration.properties,\
/home/rotty/service-ext.properties,\
global-configuration.properties
 
security-manager-get-bean-property=\
com.liferay.portal.kernel.dao.orm.EntityCacheUtil,\
com.liferay.portal.kernel.dao.orm.FinderCacheUtil,\
com.liferay.portal.kernel.spring.util.SpringFactoryUtil,\
com.liferay.portal.kernel.util.FastDateFormatFactoryUtil,\
com.liferay.portal.kernel.util.InfrastructureUtil#dataSource,\
com.liferay.portal.kernel.util.InfrastructureUtil#dynamicDataSourceTargetSource,\
com.liferay.portal.kernel.util.InfrastructureUtil#transactionManager,\
com.liferay.portal.kernel.util.PropsUtil,\
com.liferay.portal.kernel.uuid.PortalUUIDUtil,\
com.liferay.portal.util.PortalUtil,\
com.liferay.portlet.expando.util.ExpandoBridgeFactoryUtil
 
security-manager-services[portal]=\
com.liferay.counter.service.CounterLocalService#increment,\
com.liferay.portal.service.GroupLocalService#getGroup,\
com.liferay.portal.service.LayoutLocalService#getLayout,\
com.liferay.portal.service.LayoutSetLocalService#getLayoutSet,\
com.liferay.portal.service.ResourceActionLocalService#getResourceAction,\
com.liferay.portal.service.ResourceBlockLocalService#isSupported,\
com.liferay.portal.service.ResourceLocalService#addResources,\
com.liferay.portal.service.ResourcePermissionLocalService#setOwnerResourcePermissions,\
com.liferay.portal.service.ResourcePermissionLocalService#setResourcePermissions,\
com.liferay.portal.service.RoleLocalService#getDefaultGroupRole,\
com.liferay.portal.service.UserLocalService#getUserById,\
com.liferay.portal.service.persistence.UserPersistence#findByPrimaryKey,\
com.liferay.portlet.asset.service.AssetEntryLocalService#deleteEntry,\
com.liferay.portlet.asset.service.AssetEntryLocalService#updateEntry,\
com.liferay.portlet.asset.service.AssetLinkLocalService#deleteLinks,\
com.liferay.portlet.asset.service.AssetTagLocalService#addTag,\
com.liferay.portlet.asset.service.AssetTagLocalService#getTag,\
com.liferay.portlet.asset.service.AssetTagLocalService#incrementAssetCount,\
com.liferay.portlet.asset.service.AssetTagStatsLocalService#addTagStats,\
com.liferay.portlet.asset.service.AssetTagStatsLocalService#updateTagStats,\
com.liferay.portlet.social.service.SocialActivityCounterLocalService#deleteActivityCounters,\
com.liferay.portlet.social.service.SocialActivityLocalService#deleteActivities,\
com.liferay.portlet.social.service.SocialActivitySettingLocalService#deleteActivitySetting
 
security-manager-sql-tables-insert=\
AssetEntries_AssetTags,\
AssetTag,\
AssetTagStats,\
ResourcePermission
 
security-manager-sql-tables-select=\
AssetEntries_AssetTags,\
AssetEntry,\
AssetTag,\
AssetTagStats,\
ResourcePermission,\
SSB_Foo
 
security-manager-sql-tables-update=\
AssetEntry,\
AssetTag,\
AssetTagStats,\
SSB_Foo
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.