Foren
Liferay EE 6 SP2 - Upgrade and session.store.password
Matthieu Levesque, geändert vor 12 Jahren.
Liferay EE 6 SP2 - Upgrade and session.store.password
Junior Member Beiträge: 64 Beitrittsdatum: 13.02.09 Neueste Beiträge
Hi,
I'm currently truing to install the latest version of Liferay EE 6 all upgrade process completes with no issue. The portal is working properly except for the property session.store.password that doesn't seem to have any effect, in the session there's no PASSWORD attribute/variable. We developed a portlet that was using this value and I can't go on with the update without this portlet.
Does anyone else having this issue? I've compared the source for com.liferay.portlet.login.util.LoginUtil and I don't see any issue.
Here's a summary of the session properties:
Thanks,
Matthieu
I'm currently truing to install the latest version of Liferay EE 6 all upgrade process completes with no issue. The portal is working properly except for the property session.store.password that doesn't seem to have any effect, in the session there's no PASSWORD attribute/variable. We developed a portlet that was using this value and I can't go on with the update without this portlet.
Does anyone else having this issue? I've compared the source for com.liferay.portlet.login.util.LoginUtil and I don't see any issue.
Here's a summary of the session properties:
session.shared.attributes org.apache.struts.action.LOCALE,COMPANY_,USER_,LIFERAY_SHARED_,PASSWORD
session.shared.attributes.excludes
session.store.password true
session.test.cookie.support trueThanks,
Matthieu
David H Nebinger, geändert vor 12 Jahren.
RE: Liferay EE 6 SP2 - Upgrade and session.store.password
Liferay Legend Beiträge: 14919 Beitrittsdatum: 02.09.06 Neueste Beiträge
I would have said that Liferay storing a user's password as a session variable would be a security hole and asked for it to be removed.
Why on earth would you need the user's password anyway? They've already authenticated themselves, so having access to the password should not be necessary at all.
Why on earth would you need the user's password anyway? They've already authenticated themselves, so having access to the password should not be necessary at all.
Matthieu Levesque, geändert vor 12 Jahren.
RE: Liferay EE 6 SP2 - Upgrade and session.store.password
Junior Member Beiträge: 64 Beitrittsdatum: 13.02.09 Neueste Beiträge
We currently don't have an SSO system. So we are using the variable to log users on other systems. It's not the best solution but I was working...
Sandeep Nair, geändert vor 12 Jahren.
RE: Liferay EE 6 SP2 - Upgrade and session.store.password
Liferay Legend Beiträge: 1744 Beitrittsdatum: 06.11.08 Neueste Beiträge
Add the following in portal-ext.properties too
session.shared.attributes.excludes=
Regards,
Sandeep
session.shared.attributes.excludes=
Regards,
Sandeep
Matthieu Levesque, geändert vor 12 Jahren.
RE: Liferay EE 6 SP2 - Upgrade and session.store.password
Junior Member Beiträge: 64 Beitrittsdatum: 13.02.09 Neueste Beiträge
Hi,
Thanks for the reply.
If you take a look at my first post it's already set to nothing...
I'm currently testing with this configuration :
I still have an exception fired up by tomcat (java.lang.IllegalStateException: setAttribute: Session already invalidated).
Still digging...
Thanks for the reply.
If you take a look at my first post it's already set to nothing...
I'm currently testing with this configuration :
session.store.password=true
session.shared.attributes.excludes=
session.shared.attributes=org.apache.struts.action.LOCALE,COMPANY_,USER_,LIFERAY_SHARED_,USER_PASSWORDI still have an exception fired up by tomcat (java.lang.IllegalStateException: setAttribute: Session already invalidated).
Still digging...
Sandeep Nair, geändert vor 12 Jahren.
RE: Liferay EE 6 SP2 - Upgrade and session.store.password
Liferay Legend Beiträge: 1744 Beitrittsdatum: 06.11.08 Neueste Beiträge
Is there any custom code you are deploying along with this. Can you paste the complete stacktrace? The exception clearly says you are trying to set something into an invalidated session. somewhere in ur custom code are you setting something in session?
Regards,
Sandeep
Regards,
Sandeep
Matthieu Levesque, geändert vor 12 Jahren.
RE: Liferay EE 6 SP2 - Upgrade and session.store.password
Junior Member Beiträge: 64 Beitrittsdatum: 13.02.09 Neueste Beiträge
Hi,
Again thanks for replying.
I have no customizations installed, no theme nor portlets only the prepackaged tomcat version of EE SP2.
Here's the stack trace:
I've ran the portal in debug mode in Eclipse to see where the problem starts. In the SharedSessionWrapper, when ever getSessionDelegate returns the _portalSession I will get this error.
Again thanks for replying.
I have no customizations installed, no theme nor portlets only the prepackaged tomcat version of EE SP2.
Here's the stack trace:
13:21:57,217 ERROR [LoginAction:119] java.lang.IllegalStateException: setAttribute: Session already invalidated
java.lang.IllegalStateException: setAttribute: Session already invalidated
at org.apache.catalina.session.StandardSession.setAttribute(StandardSession.java:1336)
at org.apache.catalina.session.StandardSession.setAttribute(StandardSession.java:1301)
at org.apache.catalina.session.StandardSessionFacade.setAttribute(StandardSessionFacade.java:130)
at com.liferay.portal.servlet.SharedSessionWrapper.setAttribute(SharedSessionWrapper.java:161)
at com.liferay.portlet.login.util.LoginUtil.login(LoginUtil.java:316)
at com.liferay.portlet.login.action.LoginAction.login(LoginAction.java:179)
at com.liferay.portlet.login.action.LoginAction.processAction(LoginAction.java:87)
at com.liferay.portal.struts.PortletRequestProcessor.process(PortletRequestProcessor.java:174)
at com.liferay.portlet.StrutsPortlet.processAction(StrutsPortlet.java:190)
at com.liferay.portlet.FilterChainImpl.doFilter(FilterChainImpl.java:70)
at com.liferay.portal.kernel.portlet.PortletFilterUtil.doFilter(PortletFilterUtil.java:48)
at com.liferay.portlet.InvokerPortletImpl.invoke(InvokerPortletImpl.java:653)
at com.liferay.portlet.InvokerPortletImpl.invokeAction(InvokerPortletImpl.java:689)
at com.liferay.portlet.InvokerPortletImpl.processAction(InvokerPortletImpl.java:361)
at com.liferay.portal.action.LayoutAction.processPortletRequest(LayoutAction.java:840)
at com.liferay.portal.action.LayoutAction.processLayout(LayoutAction.java:629)
at com.liferay.portal.action.LayoutAction.execute(LayoutAction.java:240)
at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)
at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236)
at com.liferay.portal.struts.PortalRequestProcessor.process(PortalRequestProcessor.java:170)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)
at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:432)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
at com.liferay.portal.servlet.MainServlet.callParentService(MainServlet.java:516)
at com.liferay.portal.servlet.MainServlet.service(MainServlet.java:493)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:72)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:113)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:113)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:121)
at com.liferay.portal.servlet.filters.secure.SecureFilter.processFilter(SecureFilter.java:199)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:48)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:203)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:105)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:121)
at com.liferay.portal.servlet.filters.autologin.AutoLoginFilter.processFilter(AutoLoginFilter.java:240)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:48)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:203)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:105)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilter.doFilter(InvokerFilter.java:75)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:646)
at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:436)
at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:374)
at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:302)
at com.liferay.portal.servlet.FriendlyURLServlet.service(FriendlyURLServlet.java:136)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:72)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:121)
at com.liferay.portal.servlet.filters.strip.StripFilter.processFilter(StripFilter.java:301)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:48)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:203)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:105)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:121)
at com.liferay.portal.servlet.filters.gzip.GZipFilter.processFilter(GZipFilter.java:123)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:48)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:203)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:105)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:121)
at com.liferay.portal.servlet.filters.secure.SecureFilter.processFilter(SecureFilter.java:199)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:48)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:203)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:105)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:113)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:113)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:121)
at com.liferay.portal.servlet.filters.etag.ETagFilter.processFilter(ETagFilter.java:55)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:48)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:203)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:105)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:121)
at com.liferay.portal.servlet.filters.autologin.AutoLoginFilter.processFilter(AutoLoginFilter.java:240)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:48)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:203)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:105)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilter.doFilter(InvokerFilter.java:75)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:646)
at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:436)
at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:374)
at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:302)
at com.liferay.portal.servlet.I18nServlet.service(I18nServlet.java:102)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:72)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:121)
at com.liferay.portal.servlet.filters.sso.ntlm.NtlmPostFilter.processFilter(NtlmPostFilter.java:83)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:48)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:203)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:105)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:121)
at com.liferay.portal.sharepoint.SharepointFilter.processFilter(SharepointFilter.java:80)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:48)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:203)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:105)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:121)
at com.liferay.portal.servlet.filters.virtualhost.VirtualHostFilter.processFilter(VirtualHostFilter.java:207)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:48)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:203)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:105)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:184)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:92)
at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:738)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:203)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:105)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:164)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:92)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:164)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:92)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilter.doFilter(InvokerFilter.java:75)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:470)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Thread.java:662)
I've ran the portal in debug mode in Eclipse to see where the problem starts. In the SharedSessionWrapper, when ever getSessionDelegate returns the _portalSession I will get this error.
Sandeep Nair, geändert vor 12 Jahren.
RE: Liferay EE 6 SP2 - Upgrade and session.store.password
Liferay Legend Beiträge: 1744 Beitrittsdatum: 06.11.08 Neueste Beiträge
Ok do one thing . Add the following in portal-ext.properties and try again plz
session.enable.phishing.protection=false
Regards,
Sandeep
session.enable.phishing.protection=false
Regards,
Sandeep
Matthieu Levesque, geändert vor 12 Jahren.
RE: Liferay EE 6 SP2 - Upgrade and session.store.password
Junior Member Beiträge: 64 Beitrittsdatum: 13.02.09 Neueste Beiträge
session.enable.phishing.protection=false did the trick!
Thanks!
Thanks!
Rautureau Jérôme, geändert vor 9 Jahren.
RE: Liferay EE 6 SP2 - Upgrade and session.store.password
Junior Member Beiträge: 52 Beitrittsdatum: 22.02.08 Neueste Beiträge
Thanks....You save my day...!
divya goyal, geändert vor 7 Jahren.
RE: Liferay EE 6 SP2 - Upgrade and session.store.password
New Member Beiträge: 7 Beitrittsdatum: 11.11.14 Neueste Beiträge
Hi,
Sorry for referring to the very old post, but how will keeping the password will create a security hole.?
And Phishing.protection is not creating security hole? It will not let the jsession id get changed which will in turn is also a big security hole. Please help in the above query? As in the application we need the user credential for further action.
Regards
Divya
Sorry for referring to the very old post, but how will keeping the password will create a security hole.?
And Phishing.protection is not creating security hole? It will not let the jsession id get changed which will in turn is also a big security hole. Please help in the above query? As in the application we need the user credential for further action.
Regards
Divya