« Zurück zu Security

Check Method on Process Action

Introduction #

Liferay Portal 4.4.x features many security updates including the one we will be describing in this wiki. A patch was added to PortletRequestProcessor that requires POST, and disallows GET. This wiki will also show you how to override this feature so that you can use GET.

Security Update #

In Liferay Portal 4.4.x, Liferay added this segment in PortletRequestProcessor.java

 if (action.isCheckMethodOnProcessAction()) {
      if (!PortalUtil.isMethodPost(req)) {
          String currentURL = PortalUtil.getCurrentURL(req);
          if (_log.isWarnEnabled()) {
                _log.warn(
                  "This URL can only be invoked using POST: " +currentURL);				}
            throw new PrincipalException(currentURL);
     }
 }

This is for checking whether the request type is POST and to solve security vulnerabilities. What this means is that GET, by default, is not allowed.

Liferay also added this method in PortalAction.java

 protected boolean isCheckMethodOnProcessAction() {
   return _CHECK_METHOD_ON_PROCESS_ACTION;
 }

By default _CHECK_METHOD_ON_PROCESS_ACTION=true.

Example of using Get and being disallowed by isCheckMethodOnProcessAction():

Segment of the JSP:

 <a href="<portlet:actionURL windowState="<%= WindowState.MAXIMIZED.toString() %>"><portlet:param name="struts_action" value="/ext/authtest/view_authtest/test" /></portlet:actionURL>" >Test</a>

Segment of the Action:

TestAction.java

 public class TestAction  extends PortletAction {
      public ActionForward render(
             ActionMapping mapping, ActionForm form, PortletConfig config,
                       RenderRequest req, RenderResponse res)
                throws Exception {
                     return mapping.findForward("portlet.ext.view_authtest.test");	
        }
 }

When we click the url, there will be the errors below:

 09:11:43,582 WARN  [PortletRequestProcessor:168] This URL can only be invoked us
 ing POST: /web/guest/home?p_p_id=Authtest&p_p_action=1&p_p_state=maximized&p_p_m
 ode=view&p_p_col_id=column-1&_Authtest_struts_action=%2Fext%2Fauthtest%2Ftest
 09:11:43,613 ERROR [jsp:52] com.liferay.portal.security.auth.PrincipalException:
 /web/guest/home?p_p_id=Authtest&p_p_action=1&p_p_state=maximized&p_p_mode=view&
 p_p_col_id=column-1&_Authtest_struts_action=%2Fext%2Fauthtest%2Ftest
   at com.liferay.portal.struts.PortletRequestProcessor.process(PortletRequ
 estProcessor.java:173)
   at com.liferay.portlet.StrutsPortlet.processAction(StrutsPortlet.java:96
 )
 at com.liferay.portlet.CachePortlet._invoke(CachePortlet.java:432)
   at com.liferay.portlet.CachePortlet.processAction(CachePortlet.java:215)

Use GET #

If you override the isCheckMethodOnProcessAction method in your action, the request can be executed correctly:

Segment of TestAction.java

 public class TestAction  extends PortletAction {
     public ActionForward render(
                    ActionMapping mapping, ActionForm form, PortletConfig config,
                       RenderRequest req, RenderResponse res)
                throws Exception {
                   return mapping.findForward("portlet.ext.view_authtest.test");
        }
        @Override
        protected boolean isCheckMethodOnProcessAction() {
              return _CHECK_METHOD_ON_PROCESS_ACTION;
        }
        private static final boolean _CHECK_METHOD_ON_PROCESS_ACTION = false;
 }
0 Anhänge
38763 Angesehen
Durchschnitt (1 Stimme)
Die durchschnittliche Bewertung ist 5.0 von max. 5 Sternen.
Kommentare
Antworten im Thread Autor Datum
Thank you. It saved me! Mahdy Khayyamian 23. April 2010 08:02
How would I go about enabling GET with a... Milton Waddams 29. Oktober 2010 10:45
If I have extended ConfigurationAction or... Prakash Khanchandani 12. April 2011 05:14
Hey Prakash Khanchandani, I am having the same... Venkatesh Manam 18. Juli 2014 13:15

Gepostet am 23.04.10 08:02.
How would I go about enabling GET with a GenericPortlet being used in Liferay 6.0.5?

It appears that processAction() is does not get triggered with GET. It goes straight to doView().
Gepostet am 29.10.10 10:45.
If I have extended ConfigurationAction or BasicConfigurationAction, so as to show my page as a pop-up when clicked on the configuration link on the portlet settings icon, then how do I get away from this error: [PortletRequestProcessor:168] This URL can only be invoked using POST.

You help would be greatly appreciated.
Gepostet am 12.04.11 05:14.
Hey Prakash Khanchandani, I am having the same issue saving the custom port let configuration. Were you able resolve the error? Please share the details if possible.
Gepostet am 18.07.14 13:15.