Foren
JSF portlet, friendly url call, processAction problem
Gunnar Brinkmann, geändert vor 7 Jahren.
JSF portlet, friendly url call, processAction problem
Junior Member Beiträge: 53 Beitrittsdatum: 02.12.11 Neueste Beiträge
Hello.
The goal: Call a liferay page "manually" (URL input or a href elsewhere) via friendly url and trigger portlet code on that page to load data.
Example: http://host/site/page/-/mapping/1234567890/load
Versions are: bridge 4.2.5-ga6 on 6.2 EE SP14 with primefaces 5.2 / mojarra 2.2.12
What I've managed so far:
"processAction" in my custom portlet class is executed and ParamUtil.getLong(actionRequest, ... is successful, I get the value "1234567890".
But I want my controller method (annotated with "ProcessAction") to be fired, this is not working a.t.m.
The controller is session scoped and annotated via javax (not via spring)
In my route configuration I tried both implicit-parameter "action" and "javax.portlet.action", no success.
What am I missing?
Regards,
Gunnar
edit: added "SP14"
another edit: added "mapping"
The goal: Call a liferay page "manually" (URL input or a href elsewhere) via friendly url and trigger portlet code on that page to load data.
Example: http://host/site/page/-/mapping/1234567890/load
Versions are: bridge 4.2.5-ga6 on 6.2 EE SP14 with primefaces 5.2 / mojarra 2.2.12
What I've managed so far:
"processAction" in my custom portlet class is executed and ParamUtil.getLong(actionRequest, ... is successful, I get the value "1234567890".
But I want my controller method (annotated with "ProcessAction") to be fired, this is not working a.t.m.
The controller is session scoped and annotated via javax (not via spring)
...
@ManagedBean
@SessionScoped
public class EditorController
{
...
@ProcessAction(name="loadApplicationNumber")
public void loadApplicationNumber(ActionRequest actionRequest, ActionResponse actionResponse)
{
...
In my route configuration I tried both implicit-parameter "action" and "javax.portlet.action", no success.
...
<route>
<pattern>/{applicationNumber:\d+}/load</pattern>
<implicit-parameter name="p_p_lifecycle">1</implicit-parameter>
<implicit-parameter name="javax.portlet.action">loadApplicationNumber</implicit-parameter>
</route>
...
What am I missing?
Regards,
Gunnar
edit: added "SP14"
another edit: added "mapping"
Kyle Joseph Stiemann, geändert vor 7 Jahren.
RE: JSF portlet, friendly url call, processAction problem
Liferay Master Beiträge: 760 Beitrittsdatum: 14.01.13 Neueste Beiträge
Hi Gunnar,
Liferay Faces did not support FriendlyURLs for ActionURLs in GA6. We've recently completed FACES-2654, so you'll be able to rely on this feature in future releases.
However, you should consider that ActionURLs have the p_auth parameter included on them to prevent Cross Site Request Forgery (CSRF). This makes it difficult to create FriendlyURLs for actions because the URL contains a random token. You can turn off the p_auth parameter by setting auth.token.check.enabled=false in your portal-ext.properties file, but that will also turn off (CSRF) protection. So be sure to consider all that when using this feature.
Also @ProcessAction is part of the porlet API, so it's not really a good idea to include it in a JSF Managed Bean. It's probably more appropriate to add this method to an implementation of Portlet.
- Kyle
Liferay Faces did not support FriendlyURLs for ActionURLs in GA6. We've recently completed FACES-2654, so you'll be able to rely on this feature in future releases.
However, you should consider that ActionURLs have the p_auth parameter included on them to prevent Cross Site Request Forgery (CSRF). This makes it difficult to create FriendlyURLs for actions because the URL contains a random token. You can turn off the p_auth parameter by setting auth.token.check.enabled=false in your portal-ext.properties file, but that will also turn off (CSRF) protection. So be sure to consider all that when using this feature.
Also @ProcessAction is part of the porlet API, so it's not really a good idea to include it in a JSF Managed Bean. It's probably more appropriate to add this method to an implementation of Portlet.
- Kyle
Gunnar Brinkmann, geändert vor 7 Jahren.
RE: JSF portlet, friendly url call, processAction problem
Junior Member Beiträge: 53 Beitrittsdatum: 02.12.11 Neueste Beiträge
Hi Kyle.
ok, thank you.
Yes, instead of turning security off I've added my portlet namespace in portal-ext.properties
I'm expecting the Liferay page is still secured this way?
After that change I managed to land in "processAction" and could extract my friendly URL parameter value.
Before I got the "reject process action error".
Why should I do that, since I already managed to land in my custom portlet class' overridden "processAction" method?
Ok, maybe Portlet#processAction is enough and I'll try to transfer the value from Portlet to managed beans.
Thanks, regards and a great weekend,
Gunnar
edit: corrected properties filename
Kyle Joseph Stiemann:
Hi Gunnar,
Liferay Faces did not support FriendlyURLs for ActionURLs in GA6. We've recently completed FACES-2654, so you'll be able to rely on this feature in future releases.
ok, thank you.
However, you should consider that ActionURLs have the p_auth parameter included on them to prevent Cross Site Request Forgery (CSRF). This makes it difficult to create FriendlyURLs for actions because the URL contains a random token. You can turn off the p_auth parameter by setting auth.token.check.enabled=false in your portal-ext.properties file, but that will also turn off (CSRF) protection. So be sure to consider all that when using this feature.
Yes, instead of turning security off I've added my portlet namespace in portal-ext.properties
auth.token.ignore.portlets=82,myportletnamespace
I'm expecting the Liferay page is still secured this way?
After that change I managed to land in "processAction" and could extract my friendly URL parameter value.
Before I got the "reject process action error".
Also @ProcessAction is part of the porlet API, so it's not really a good idea to include it in a JSF Managed Bean. It's probably more appropriate to add this method to an implementation of Portlet.
Why should I do that, since I already managed to land in my custom portlet class' overridden "processAction" method?
- Kyle
Ok, maybe Portlet#processAction is enough and I'll try to transfer the value from Portlet to managed beans.
Thanks, regards and a great weekend,
Gunnar
edit: corrected properties filename
Kyle Joseph Stiemann, geändert vor 7 Jahren.
RE: JSF portlet, friendly url call, processAction problem
Liferay Master Beiträge: 760 Beitrittsdatum: 14.01.13 Neueste BeiträgeGunnar Brinkmann:
Hi Kyle.
However, you should consider that ActionURLs have the p_auth parameter included on them to prevent Cross Site Request Forgery (CSRF). This makes it difficult to create FriendlyURLs for actions because the URL contains a random token. You can turn off the p_auth parameter by setting auth.token.check.enabled=false in your portal-ext.properties file, but that will also turn off (CSRF) protection. So be sure to consider all that when using this feature.
Yes, instead of turning security off I've added my portlet namespace in portal-ext.propertiesauth.token.ignore.portlets=82,myportletnamespace
I'm expecting the Liferay page is still secured this way?
Yes, I think all the portlets besides 82 and myportletnamespace would use the p_auth feature as security against CSRF. Just make sure you know what you are doing when disabling p_auth for those portlets . You could also consider disabling p_auth for certain actions via auth.token.ignore.portlets. That would be more fine-grained. See OWASP's CSRF article for more details about CSRF.
- Kyle