-
Notifications
You must be signed in to change notification settings - Fork 3.6k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
LPS-27741 Add security by plugin context execution to template engines
- We have to initialize/destroy a new template context specific to each plugin (keyed by ClassLoader of the plugin) - Add/Replaced helper utilities to support classloading control (and access to classes/packages) within templates
- Loading branch information
1 parent
b2a65f0
commit 90c4e85
Showing
16 changed files
with
845 additions
and
117 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
60 changes: 60 additions & 0 deletions
60
portal-impl/src/com/liferay/portal/freemarker/LiferayObjectConstructor.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
/** | ||
* Copyright (c) 2000-2012 Liferay, Inc. All rights reserved. | ||
* | ||
* This library is free software; you can redistribute it and/or modify it under | ||
* the terms of the GNU Lesser General Public License as published by the Free | ||
* Software Foundation; either version 2.1 of the License, or (at your option) | ||
* any later version. | ||
* | ||
* This library is distributed in the hope that it will be useful, but WITHOUT | ||
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS | ||
* FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more | ||
* details. | ||
*/ | ||
|
||
package com.liferay.portal.freemarker; | ||
|
||
import com.liferay.portal.security.pacl.PACLClassLoaderUtil; | ||
|
||
import freemarker.ext.beans.BeansWrapper; | ||
|
||
import freemarker.template.TemplateMethodModelEx; | ||
import freemarker.template.TemplateModelException; | ||
|
||
import java.util.List; | ||
|
||
/** | ||
* @author Raymond Augé | ||
*/ | ||
public class LiferayObjectConstructor implements TemplateMethodModelEx { | ||
|
||
public Object exec(@SuppressWarnings("rawtypes") List arguments) | ||
throws TemplateModelException { | ||
|
||
if (arguments.isEmpty()) { | ||
throw new TemplateModelException( | ||
"This method must have at least one argument as the name of " + | ||
"the class to instantiate"); | ||
} | ||
|
||
Class<?> clazz = null; | ||
|
||
try { | ||
String className = String.valueOf(arguments.get(0)); | ||
|
||
clazz = Class.forName( | ||
className, true, PACLClassLoaderUtil.getContextClassLoader()); | ||
} | ||
catch (Exception e) { | ||
throw new TemplateModelException(e.getMessage()); | ||
} | ||
|
||
BeansWrapper beansWrapper = BeansWrapper.getDefaultInstance(); | ||
|
||
Object object = beansWrapper.newInstance( | ||
clazz, arguments.subList(1, arguments.size())); | ||
|
||
return beansWrapper.wrap(object); | ||
} | ||
|
||
} |
74 changes: 74 additions & 0 deletions
74
portal-impl/src/com/liferay/portal/freemarker/LiferayTemplateClassResolver.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,74 @@ | ||
/** | ||
* Copyright (c) 2000-2012 Liferay, Inc. All rights reserved. | ||
* | ||
* This library is free software; you can redistribute it and/or modify it under | ||
* the terms of the GNU Lesser General Public License as published by the Free | ||
* Software Foundation; either version 2.1 of the License, or (at your option) | ||
* any later version. | ||
* | ||
* This library is distributed in the hope that it will be useful, but WITHOUT | ||
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS | ||
* FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more | ||
* details. | ||
*/ | ||
|
||
package com.liferay.portal.freemarker; | ||
|
||
import com.liferay.portal.security.pacl.PACLClassLoaderUtil; | ||
import com.liferay.portal.util.PropsValues; | ||
|
||
import freemarker.core.Environment; | ||
import freemarker.core.TemplateClassResolver; | ||
|
||
import freemarker.template.Template; | ||
import freemarker.template.TemplateException; | ||
import freemarker.template.utility.ObjectConstructor; | ||
|
||
/** | ||
* @author Raymond Augé | ||
*/ | ||
public class LiferayTemplateClassResolver implements TemplateClassResolver { | ||
|
||
public Class<?> resolve( | ||
String className, Environment environment, Template template) | ||
throws TemplateException { | ||
|
||
if (className.equals(ObjectConstructor.class.getName())) { | ||
throw new TemplateException( | ||
"Instantiating " + className + " is not allowed in the " + | ||
"template for security reasons", | ||
environment); | ||
} | ||
|
||
for (String restrictedClassName : | ||
PropsValues.FREEMARKER_ENGINE_RESTRICTED_CLASSES) { | ||
|
||
if (className.equals(restrictedClassName)) { | ||
throw new TemplateException( | ||
"Instantiating " + className + " is not allowed in the " + | ||
"template for security reasons", | ||
environment); | ||
} | ||
} | ||
|
||
for (String restrictedPackageName : | ||
PropsValues.FREEMARKER_ENGINE_RESTRICTED_PACKAGES) { | ||
|
||
if (className.startsWith(restrictedPackageName)) { | ||
throw new TemplateException( | ||
"Instantiating " + className + " is not allowed in the " + | ||
"template for security reasons", | ||
environment); | ||
} | ||
} | ||
|
||
try { | ||
return Class.forName( | ||
className, true, PACLClassLoaderUtil.getContextClassLoader()); | ||
} | ||
catch (Exception e) { | ||
throw new TemplateException(e, environment); | ||
} | ||
} | ||
|
||
} |
65 changes: 65 additions & 0 deletions
65
portal-impl/src/com/liferay/portal/freemarker/PACLFreeMarkerTemplate.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,65 @@ | ||
/** | ||
* Copyright (c) 2000-2012 Liferay, Inc. All rights reserved. | ||
* | ||
* This library is free software; you can redistribute it and/or modify it under | ||
* the terms of the GNU Lesser General Public License as published by the Free | ||
* Software Foundation; either version 2.1 of the License, or (at your option) | ||
* any later version. | ||
* | ||
* This library is distributed in the hope that it will be useful, but WITHOUT | ||
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS | ||
* FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more | ||
* details. | ||
*/ | ||
|
||
package com.liferay.portal.freemarker; | ||
|
||
import com.liferay.portal.kernel.template.TemplateException; | ||
import com.liferay.portal.security.lang.PortalSecurityManagerThreadLocal; | ||
import com.liferay.portal.security.pacl.PACLPolicy; | ||
import com.liferay.portal.template.TemplateContextHelper; | ||
|
||
import freemarker.template.Configuration; | ||
|
||
import java.io.Writer; | ||
|
||
import java.util.Map; | ||
|
||
/** | ||
* @author Raymond Augé | ||
*/ | ||
public class PACLFreeMarkerTemplate extends FreeMarkerTemplate { | ||
|
||
public PACLFreeMarkerTemplate( | ||
String templateId, String templateContent, String errorTemplateId, | ||
String errorTemplateContent, Map<String, Object> context, | ||
Configuration configuration, | ||
TemplateContextHelper templateContextHelper, | ||
StringTemplateLoader stringTemplateLoader, PACLPolicy paclPolicy) { | ||
|
||
super( | ||
templateId, templateContent, errorTemplateId, errorTemplateContent, | ||
context, configuration, templateContextHelper, | ||
stringTemplateLoader); | ||
|
||
_paclPolicy = paclPolicy; | ||
} | ||
|
||
@Override | ||
public boolean processTemplate(Writer writer) throws TemplateException { | ||
PACLPolicy initialPolicy = | ||
PortalSecurityManagerThreadLocal.getPACLPolicy(); | ||
|
||
try { | ||
PortalSecurityManagerThreadLocal.setPACLPolicy(_paclPolicy); | ||
|
||
return super.processTemplate(writer); | ||
} | ||
finally { | ||
PortalSecurityManagerThreadLocal.setPACLPolicy(initialPolicy); | ||
} | ||
} | ||
|
||
private PACLPolicy _paclPolicy; | ||
|
||
} |
Oops, something went wrong.