< Back

Liferay Security Manager or how to raise a horde of angry developers

Florencia Gadea
Software Developer
On August 2012 Liferay proudly announced their new shiny Marketplace. This should be a step in the right direction to enhance their existing platform. To make the community plugins more trustful, Liferay added the Plugin Security Manager (SM), that scans plugins looking for unauthorized access, and, if found, blocks the deployment or functioning of the app running. To overcome the SM, the developer has to specify ahead of time the portal resources they intend to access in the Portal Access Control List (PACL) properties file. So far, so good.
But after the release, something went terribly wrong. Well, actually, a lot of things went wrong. Just to name the most important issues:
* All the community plugins were removed

As it was mandatory to enable the SM for the Marketplace plugins, all the existing applications didn't match the new requirements. So Liferay people decided to remove them all! Leaving the users without valuable plugins, and the developers without the possibility to share their apps, breaking the bond between developers and users.

They argued that those plugins did not meet all the requirements of the Marketplace. Even it's reasonable to remove them, they should have relocated those plugins somewhere else.

Community developers were extremely annoyed by this measure. They felt that their hard work had been wasted and trashed. Of course, they had the chance to enable the SM for their already developed plugins and make them work, but here comes the next two issues:

* Lack of working examples

Documentation was not clear enough. Many experienced developers claimed that Liferay should have taught by example, enabling the SM in their own plugins first. They are now working in a PACL generator, so developers don't have to go through this tedious process of deploying/testing, finding a SM exception, adding it in the PACL, deploying and testing again, finding a SM exception, adding it in the PACL, and so on.

* Major bugs in the Security Manager

One of the main bugs of the SM is related to reflection being used by portlets, and PACL not knowing how to deal with it. Being mandatory to enable the SM to be able to upload an app in the Marketplace, the amount of bugs it had, left the vast majority of community apps out of it. So they are now planning to release Liferay version 6.1 GA3, mainly to fix all these issues caused by the SM. Developers are waiting patiently to hear an announcement date.

* Not replying quickly to forums threads related to Security Manager issues

At first, the threads posted by developers took many days to get answered from Liferay staff. Most of them ended up with a Jira ticket issued. Right now, only a little amount of community plugins are working with PACL enabled.

Anyway, as I have seen important information about this subject spread in different tutorials, threads, documentation, etc., I wanted to gather it here to make life(ray) easier for developers.

How do I get my app into the Marketplace?
Considering all the above problems, here are the steps you have to follow.

* Develop your plugin with PACL disabled.
* Implement all the libraries you use in such a way that they don't use reflection (if possible).
* Enable PACL and test it, following the guide below and forum examples.
If you still have problems with the SM, witch is probably the case if you are reading this article, then you have to wait for Liferay to solve the issues.

Even Liferay people recognized their wrongs, they are now trapped in a race against time, willing that developers are patient enough to wait for Liferay 6.1 GA3.
What worries developers and users the most, is that there is no announcement date. They initially estimated this first quarter, but obviously it's taking longer. Let's just hope that this release is good enough to restore our faith in Liferay.
< Back to blogs overview
Trackback URL:

Hey Florencia, your comments and participation in our community is always appreciated and am aware of the difficulties you and Rotterdam CS have faced with the Marketplace, so I want to thank you for taking the time to write up this blog post (and the other one about "10 ways to fail..."). We're making some changes that I hope will address your concerns, and we'll continue to improve based on this kind of feedback going forward. See http://www.liferay.com/web/james.falkner/blog/-/blogs/marketplace-pacl-and-commu­nity-plugins for details about what we're doing. I am really looking forward to seeing the kinds of apps you're producing on the Marketplace. They are quite amazing!
Posted on 02/05/13 12:15.
These are great news James!

And thanks, we are really looking forward for the community to use our apps.
Posted on 02/05/13 14:03 in reply to James.

Other bloggers

Federico Gabriel Budassi
Posts: 3
Stars: 0
Date: 21/01/14
Florencia Gadea
Posts: 3
Stars: 0
Date: 05/12/13
Maarten Jongmans
Posts: 1
Stars: 0
Date: 28/10/13

Filter by blogger

Interested in Self-Organization?

Suppose one of these articles got your attention, and you would like to know more about our products or vision. In that case please contact us.


Contact Us

Aad Nales
Company Director
  • 0887326007