On August 2012 Liferay proudly announced their new shiny Marketplace. This should be a step in the right direction to enhance their existing platform. To make the community plugins more trustful, Liferay added the Plugin Security Manager (SM), that scans plugins looking for unauthorized access, and, if found, blocks the deployment or functioning of the app running. To overcome the SM, the developer has to specify ahead of time the portal resources they intend to access in the Portal Access Control List (PACL) properties file. So far, so good.
But after the release, something went terribly wrong. Well, actually, a lot of things went wrong. Just to name the most important issues:
* All the community plugins were removed
As it was mandatory to enable the SM for the Marketplace plugins, all the existing applications didn't match the new requirements. So Liferay people decided to remove them all! Leaving the users without valuable plugins, and the developers without the possibility to share their apps, breaking the bond between developers and users.
They argued that those plugins did not meet all the requirements of the Marketplace. Even it's reasonable to remove them, they should have relocated those plugins somewhere else.
Community developers were extremely annoyed by this measure. They felt that their hard work had been wasted and trashed. Of course, they had the chance to enable the SM for their already developed plugins and make them work, but here comes the next two issues:
* Lack of working examples
Documentation was not clear enough. Many experienced developers claimed that Liferay should have taught by example, enabling the SM in their own plugins first. They are now working in a PACL generator, so developers don't have to go through this tedious process of deploying/testing, finding a SM exception, adding it in the PACL, deploying and testing again, finding a SM exception, adding it in the PACL, and so on.
* Major bugs in the Security Manager
One of the main bugs of the SM is related to reflection being used by portlets, and PACL not knowing how to deal with it. Being mandatory to enable the SM to be able to upload an app in the Marketplace, the amount of bugs it had, left the vast majority of community apps out of it. So they are now planning to release Liferay version 6.1 GA3, mainly to fix all these issues caused by the SM. Developers are waiting
patiently to hear an announcement date.
* Not replying quickly to forums threads related to Security Manager issues
At first, the threads posted by developers took many days to get answered from Liferay staff. Most of them ended up with a Jira ticket issued. Right now, only a little amount of community plugins are working with PACL enabled.
Anyway, as I have seen important information about this subject spread in different tutorials, threads, documentation, etc., I wanted to gather it here to make life(ray) easier for developers.
How do I get my app into the Marketplace?
Considering all the above problems, here are the steps you have to follow.
* Develop your plugin with PACL disabled.
* Implement all the libraries you use in such a way that they don't use reflection (if possible).
* Enable PACL and test it, following the guide below and forum examples.
If you still have problems with the SM, witch is probably the case if you are reading this article, then you have to wait for Liferay to solve the issues.
Even Liferay people recognized their wrongs, they are now trapped in a race against time, willing that developers are patient enough to wait for Liferay 6.1 GA3.
What worries developers and users the most, is that there is no announcement date. They initially estimated this first quarter, but obviously it's taking longer. Let's just hope that this release is good enough to restore our faith in Liferay.