PUBLIC - Liferay Portal Community Edition

PACL, issue with SecurityManager

Details

  • Branch Version/s:
    6.1.x
  • Backported to Branch:
    Committed
  • Similar Issues:
    Show 5 results 

Description

I faced a problem with SecurityChecker and PACL.
In my plugin I have the code:
Mac mac = Mac.getInstance("HMACSHA1");

If security manager is enabled it throws the exception:
java.lang.SecurityException: Attempted to putProviderProperty.SUN on
at com.liferay.portal.security.pacl.checker.BaseChecker.throwSecurityException(BaseChecker.java:259)
at com.liferay.portal.security.pacl.checker.SecurityChecker.checkPermission(SecurityChecker.java:52)
at com.liferay.portal.security.pacl.ActivePACLPolicy.checkPermission(ActivePACLPolicy.java:55)
at com.liferay.portal.security.lang.PortalSecurityManager.checkPermission(PortalSecurityManager.java:103)
at com.liferay.portal.security.lang.PortalSecurityManager.checkPermission(PortalSecurityManager.java:74)
at java.lang.SecurityManager.checkSecurityAccess(SecurityManager.java:1698)
at java.security.Provider.check(Provider.java:386)
at java.security.Provider.putAll(Provider.java:224)
at sun.security.action.PutAllAction.run(PutAllAction.java:35)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.provider.Sun.<init>(Sun.java:254)
at sun.security.util.ManifestEntryVerifier.setEntry(ManifestEntryVerifier.java:110)

I looked into the code of SecurityChecker and found out that it can handle only permissions for getPolicy and setPolicy. In other cases it ALWAYS throws the security exception:
public void checkPermission(Permission permission) {
String name = permission.getName();

if (name.equals(SECURITY_PERMISSION_GET_POLICY)) {
if (!hasGetPolicy())

{ throwSecurityException(_log, "Attempted to get the policy"); }

}
else if (name.equals(SECURITY_PERMISSION_SET_POLICY)) {
if (!hasSetPolicy())

{ throwSecurityException(_log, "Attempted to set the policy"); }

}
else {
if (_log.isDebugEnabled())

{ Thread.dumpStack(); }

throwSecurityException(
_log,
"Attempted to " + permission.getName() + " on " +
permission.getActions());
}
}

So, it looks like there is no way to run such "tivial" code with enabled Security Manager in LR. Did I miss anything?

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Mika Koivisto added a comment -

I just tried running following code under out test-pacl-portlet that's running under security manager and it worked fine.

			javax.crypto.spec.SecretKeySpec keySpec =
				new javax.crypto.spec.SecretKeySpec(
					"test".getBytes(),
					"HmacSHA1");

			javax.crypto.Mac mac = javax.crypto.Mac.getInstance("HmacSHA1");

			mac.init(keySpec);
			mac.doFinal("Hello".getBytes());
Show
Mika Koivisto added a comment - I just tried running following code under out test-pacl-portlet that's running under security manager and it worked fine. javax.crypto.spec.SecretKeySpec keySpec = new javax.crypto.spec.SecretKeySpec( "test".getBytes(), "HmacSHA1"); javax.crypto.Mac mac = javax.crypto.Mac.getInstance("HmacSHA1"); mac.init(keySpec); mac.doFinal("Hello".getBytes());
Hide
Permalink
Dzmitry Shaparau added a comment -

I attached a very simple plugin which simulates the error. It provides a very simple Authenticator which just invokes Mac.getInstance
Steps to reproduce:
1. Unpack a clean copy of LR(Tomcat) 6.1.1 ga2
2. Start LR and deploy sample-auth-hook
3. Restart the server
4. Try to login with any user

Show
Dzmitry Shaparau added a comment - I attached a very simple plugin which simulates the error. It provides a very simple Authenticator which just invokes Mac.getInstance Steps to reproduce: 1. Unpack a clean copy of LR(Tomcat) 6.1.1 ga2 2. Start LR and deploy sample-auth-hook 3. Restart the server 4. Try to login with any user
Hide
Permalink
Mika Koivisto added a comment -

Thanks Dzmitry, your hook really helped. It seems if some other plugin without security manager already initializes the crypto classes you won't get any security exceptions in the plugin that has security manager enabled.

Show
Mika Koivisto added a comment - Thanks Dzmitry, your hook really helped. It seems if some other plugin without security manager already initializes the crypto classes you won't get any security exceptions in the plugin that has security manager enabled.
Hide
Permalink
Brian Chan added a comment -

See comments https://github.com/brianchandotcom/liferay-portal/pull/7743

Show
Brian Chan added a comment - See comments https://github.com/brianchandotcom/liferay-portal/pull/7743
Hide
Permalink
Mika Koivisto added a comment -

Added pre initialization as global startup action so that most basic operations work without declaring them explicitly.

Show
Mika Koivisto added a comment - Added pre initialization as global startup action so that most basic operations work without declaring them explicitly.
Hide
Permalink
Mika Koivisto added a comment -

Will submit a new pr with fix for Windows.

Show
Mika Koivisto added a comment - Will submit a new pr with fix for Windows.
Hide
Permalink
Mika Koivisto added a comment -

Steps to reproduce with test-pacl-portlet

1. Login
2. Deploy test-pacl-portlet and it's dependencies
3. Add test-pacl-portlet to a page
4. Logout
5. Restart server
6. View page with test-pacl-portlet and you should see AES Encrypt and HMacMD5 tests fail

Show
Mika Koivisto added a comment - Steps to reproduce with test-pacl-portlet 1. Login 2. Deploy test-pacl-portlet and it's dependencies 3. Add test-pacl-portlet to a page 4. Logout 5. Restart server 6. View page with test-pacl-portlet and you should see AES Encrypt and HMacMD5 tests fail
Hide
Permalink
Serena Song added a comment -

PASSED Manual Testing using the following steps:

  1. Strat up liferay.
  2. Navigate to ..\portlets\test-pacl-portlet\docroot.
  3. Open view.jsp file and add following code to it.
    <% Mac mac = Mac.getInstance("HMACSHA1"); %>
  4. Deploy test-pacl-portlet and it's dependencies
  5. Add test-pacl-portlet to a page
  6. Logout
  7. Restart server

Reproduced on:
Tomcat 7.0 + MySQL 5. Portal 6.1.x EE GIT ID: 9163c531df1cb05b668a98413410989f1f231d25.
Plugin 6.1.x EE GIT ID: 0ff0a9ee0a616727d2a42edb8811a3ed41a336c1.

It will throw exception.

Fixed on:
Tomcat 7.0 + MySQL 5. Portal 6.1.x EE GIT ID: e782c1ebc63271a45ab85125a0cad0e1ce0c01ef.
Plugin 6.1.x EE GIT ID: 570a3cc499c4c1fc6eeaaaf277af9d1bd2840347.
Tomcat 7.0 + MySQL 5. Portal 6.2.x EE GIT ID: f5b69feabc821668b41e3b251fb2a14674a2da56.
Plugin 6.2.x EE GIT ID: 325f0c27c7f18fea7c4132161cd9ffdaf87fd699.

There is no exception occurs.

Show
Serena Song added a comment - PASSED Manual Testing using the following steps: Strat up liferay. Navigate to ..\portlets\test-pacl-portlet\docroot. Open view.jsp file and add following code to it. <% Mac mac = Mac.getInstance("HMACSHA1"); %> Deploy test-pacl-portlet and it's dependencies Add test-pacl-portlet to a page Logout Restart server Reproduced on: Tomcat 7.0 + MySQL 5. Portal 6.1.x EE GIT ID: 9163c531df1cb05b668a98413410989f1f231d25. Plugin 6.1.x EE GIT ID: 0ff0a9ee0a616727d2a42edb8811a3ed41a336c1. It will throw exception. Fixed on: Tomcat 7.0 + MySQL 5. Portal 6.1.x EE GIT ID: e782c1ebc63271a45ab85125a0cad0e1ce0c01ef. Plugin 6.1.x EE GIT ID: 570a3cc499c4c1fc6eeaaaf277af9d1bd2840347. Tomcat 7.0 + MySQL 5. Portal 6.2.x EE GIT ID: f5b69feabc821668b41e3b251fb2a14674a2da56. Plugin 6.2.x EE GIT ID: 325f0c27c7f18fea7c4132161cd9ffdaf87fd699. There is no exception occurs.

People

Vote (1)
Watch (5)

Dates

  • Created:
    Updated:
    Resolved:
    Days since last comment:
    16 weeks, 2 days ago