We all wish cyberspace were free of malicious software and unwanted bugs. Since it isn’t, we need to guard ourselves and our portals from these evils. Enter Liferay Portal’s Plugin Security Manager! It’s like a super-hero in a cape and tights, except, well, it’s not.

In its quest for peace within your portal, the Plugin Security Manager pledges to:

  • Protect your portal and host system from unwanted side affects and malicious software introduced by plugins.
  • Control plugin access to your portal, host system, and network by requiring that plugins specify ahead of time the portal resources they intend to access.

Let’s go over some scenarios that could apply to you with regard to trying new plugins, and then maybe the importance of this will be clear.

  • A flashy new plugin has arrived on Liferay Marketplace and you want to give it a whirl. But naturally, you want to know the parts of your system it will access.
  • A colleague finds an interesting plugin after scouring the web for something that can help streamline processes at your workplace. Of course, you don’t know whether you can truly trust the plugin creator–this plugin was found outside the Liferay Marketplace. If the plugin isn’t open source, you have no way of knowing if it does anything nefarious.
  • Upper management requests your corporate branch and other branches use a standard set of plugins on your portal instances. This set of plugins, however, was written by an outside firm, and you need to know there will be no tampering with your proprietary files.

These are just a few scenarios that may ring true for you. When you’re responsible for keeping your system running well 24x7, you can’t be too cautious in protecting your portal, system and network.

How plugin security works

When the Plugin Security Manager is enabled for your plugin, it checks your plugin’s Portal Access Control List (PACL). This list describes what APIs the plugin accesses, so people deploying the...

Read More

Developing Plugins with security in mind

At the start of plugin developement, you may not have a clear picture of all the aspects of the portal you’ll need to access, and that’s fine. In fact, we suggest you go ahead and develop your...

Read More

Enabling the Security Manager

If you want to distribute plugins, either on the Liferay Marketplace or through your web site, you have to assume users will insist the Security Manager is enabled in your plugin. For this reason,...

Read More

Portal Access Control List (PACL) Properties

Liferay Portal’s Plugin Security Manager checks all your plugin’s API access attempts against the security manager properties specified in your plugin’s liferay-plugin-package.properties file. If...

Read More

AWT Security

Specify the AWT operations the plugin is permitted to access. Example: security-manager-awt-operations=\ accessClipboard,\ accessEventQueue,\ accessSystemTray,\ createRobot,\ fullScreenExclusive,\...

Read More

Class Loader Security

Specify the reference IDs of plugins for this plugin to access. Example: security-manager-class-loader-reference-ids=\ 1_WAR_flashportlet,\ flash-portlet

Read More

Environment Variable Security

Specify regular expression patterns used to match environment variables that the plugin is permitted to access. Example: security-manager-environment-variables=\ java.home,\ java.vendor,\...

Read More

Expando Bridge Security

Specify models having Expando Bridge attributes the plugin is permitted to access. The plugin can also access Expando Bridge attributes via the wrapper classes of the models. Example:...

Read More

File Security

The following properties address file deletion, execution, reading, writing and replacement operations. The * character in a path name indicates all files in the current directory. The - character...

Read More

Bean Security

Specify bean properties the plugin is permitted to acquire. Example: security-manager-get-bean-property=\ com.liferay.portal.kernel.xml.SAXReaderUtil,\ com.liferay.portal.util.PortalUtil Specify...

Read More

Hook Security

Set to true if the hook plugin is permitted use custom JSPs. By default, the hook plugin is not permitted to use custom JSPs. Example: security-manager-hook-custom-jsp-dir-enabled=false Specify...

Read More

JNDI Security

Specify which services the plugin can look up. You can use regular expressions to make this dynamic. Example: Using the sample values below, the plugin can look up objects for key names matthew,...

Read More

Message Bus Security

Specify which services the plugin is permitted to listen on via the portal’s message bus. Example: security-manager-message-bus-listen=\ liferay/test_pacl,\ liferay/test_pacl_listen_success Specify...

Read More

Portlet Bag Pool Security

Specify regular expression patterns used to match any portlet IDs that the plugin is permitted to access from the portlet bag pool. Example: security-manager-portlet-bag-pool-portlet-ids=\...

Read More

Search Engine Security

Specify the IDs of search engines the plugin is permitted to access. Example: security-manager-search-engine-ids=\ SYSTEM_ENGINE

Read More

Portal Service Security

Specify portal service classes and/or methods the plugin is permitted to access. Use the # character as a delimiter between a class and its method. Example: security-manager-services[portal]=\...

Read More

Portlet Service Security

For each portlet the plugin accesses, replicate this property substituting some-portlet in the [ square brackets ] with the name of the accessible portlet. Specify portlet service classes and/or...

Read More

Socket Security

Specify sockets permitted to accept connections in the plugin. Example: security-manager-sockets-accept=\ localhost:4320 Specify connections the plugin is permitted to make with the outside world....

Read More

SQL Security

Specify tables in the Liferay database on which the plugin is permitted to perform the applicable operations. These property names use the following convention:...

Read More

Thread Security

Specify regular expression patterns used to match names of the thread pool executor for the plugin to access. Example: security-manager-thread-pool-executor-names=\ liferay/test_pacl,\...

Read More


In this chapter, we’ve discussed the reasons for plugin security management, how the Plugin Security Manager checks each plugin against its portal access control list (PACL), and how to specify...

Read More
0 (0 Votes)
Summary Previous