« Back to Security

Check Method on Process Action

Introduction #

Liferay Portal 4.4.x features many security updates including the one we will be describing in this wiki. A patch was added to PortletRequestProcessor that requires POST, and disallows GET. This wiki will also show you how to override this feature so that you can use GET.

Security Update #

In Liferay Portal 4.4.x, Liferay added this segment in PortletRequestProcessor.java

 if (action.isCheckMethodOnProcessAction()) {
      if (!PortalUtil.isMethodPost(req)) {
          String currentURL = PortalUtil.getCurrentURL(req);
          if (_log.isWarnEnabled()) {
                _log.warn(
                  "This URL can only be invoked using POST: " +currentURL);				}
            throw new PrincipalException(currentURL);
     }
 }

This is for checking whether the request type is POST and to solve security vulnerabilities. What this means is that GET, by default, is not allowed.

Liferay also added this method in PortalAction.java

 protected boolean isCheckMethodOnProcessAction() {
   return _CHECK_METHOD_ON_PROCESS_ACTION;
 }

By default _CHECK_METHOD_ON_PROCESS_ACTION=true.

Example of using Get and being disallowed by isCheckMethodOnProcessAction():

Segment of the JSP:

 <a href="<portlet:actionURL windowState="<%= WindowState.MAXIMIZED.toString() %>"><portlet:param name="struts_action" value="/ext/authtest/view_authtest/test" /></portlet:actionURL>" >Test</a>

Segment of the Action:

TestAction.java

 public class TestAction  extends PortletAction {
      public ActionForward render(
             ActionMapping mapping, ActionForm form, PortletConfig config,
                       RenderRequest req, RenderResponse res)
                throws Exception {
                     return mapping.findForward("portlet.ext.view_authtest.test");	
        }
 }

When we click the url, there will be the errors below:

 09:11:43,582 WARN  [PortletRequestProcessor:168] This URL can only be invoked us
 ing POST: /web/guest/home?p_p_id=Authtest&p_p_action=1&p_p_state=maximized&p_p_m
 ode=view&p_p_col_id=column-1&_Authtest_struts_action=%2Fext%2Fauthtest%2Ftest
 09:11:43,613 ERROR [jsp:52] com.liferay.portal.security.auth.PrincipalException:
 /web/guest/home?p_p_id=Authtest&p_p_action=1&p_p_state=maximized&p_p_mode=view&
 p_p_col_id=column-1&_Authtest_struts_action=%2Fext%2Fauthtest%2Ftest
   at com.liferay.portal.struts.PortletRequestProcessor.process(PortletRequ
 estProcessor.java:173)
   at com.liferay.portlet.StrutsPortlet.processAction(StrutsPortlet.java:96
 )
 at com.liferay.portlet.CachePortlet._invoke(CachePortlet.java:432)
   at com.liferay.portlet.CachePortlet.processAction(CachePortlet.java:215)

Use GET #

If you override the isCheckMethodOnProcessAction method in your action, the request can be executed correctly:

Segment of TestAction.java

 public class TestAction  extends PortletAction {
     public ActionForward render(
                    ActionMapping mapping, ActionForm form, PortletConfig config,
                       RenderRequest req, RenderResponse res)
                throws Exception {
                   return mapping.findForward("portlet.ext.view_authtest.test");
        }
        @Override
        protected boolean isCheckMethodOnProcessAction() {
              return _CHECK_METHOD_ON_PROCESS_ACTION;
        }
        private static final boolean _CHECK_METHOD_ON_PROCESS_ACTION = false;
 }
0 Attachments
38765 Views
Average (1 Vote)
The average rating is 5.0 stars out of 5.
Comments
Threaded Replies Author Date
Thank you. It saved me! Mahdy Khayyamian April 23, 2010 8:02 AM
How would I go about enabling GET with a... Milton Waddams October 29, 2010 10:45 AM
If I have extended ConfigurationAction or... Prakash Khanchandani April 12, 2011 5:14 AM
Hey Prakash Khanchandani, I am having the same... Venkatesh Manam July 18, 2014 1:15 PM

Thank you. It saved me!
Posted on 4/23/10 8:02 AM.
How would I go about enabling GET with a GenericPortlet being used in Liferay 6.0.5?

It appears that processAction() is does not get triggered with GET. It goes straight to doView().
Posted on 10/29/10 10:45 AM.
If I have extended ConfigurationAction or BasicConfigurationAction, so as to show my page as a pop-up when clicked on the configuration link on the portlet settings icon, then how do I get away from this error: [PortletRequestProcessor:168] This URL can only be invoked using POST.

You help would be greatly appreciated.
Posted on 4/12/11 5:14 AM.
Hey Prakash Khanchandani, I am having the same issue saving the custom port let configuration. Were you able resolve the error? Please share the details if possible.
Posted on 7/18/14 1:15 PM.