Hi,
Do anybody can help ?
I make the following call from an HTML page hosted by another application running on port 8091 on the same server
Authentication is deactivated so far but it might be the next issue...
My portal-ext.properties
I can't imagine it is that complicated. I assume, it is a single configuration to update somewhere...
Do anybody can help ?
I make the following call from an HTML page hosted by another application running on port 8091 on the same server
var req = new XMLHttpRequest();
req.open("GET", "http://localhost:8090/api/jsonws/zp-portlet.vendor/get-vendors/company-id/20254");
//req.setRequestHeader("Authorization", "Basic " + btoa("mrjones:test12345"));
req.send();Authentication is deactivated so far but it might be the next issue...
My portal-ext.properties
json.service.auth.token.hosts.allowed=127.0.0.1,SERVER_IP
json.service.auth.token.enabled=false
jsonws.servlet.hosts.allowed=127.0.0.1,SERVER_IPI can't imagine it is that complicated. I assume, it is a single configuration to update somewhere...
Hi Eric,
Thanks for sharing your results and analysis with the community. Too often people post a problem, find a solution but then never update the thread with their findings.
Reading your post though I have a couple of comments .. maybe something for you to try as well if you have a moment
. Changing the web.xml for the ROOT application of course can be done but from experience it leads to problems when you want to upgrade. In particular I have found that with the EE version of the product when I use the patching tool to apply service packs, the changes I have made to the web.xml are lost. The only work around to this I believe... and perhaps you could argue "the purist way" to make such changes is with a *barf* EXT plugin .
Having said that, I recently had to enable CORS on an application. In our case it was another app that was iframing content from the Liferay side but regardless, CORS was the issue. Rather than turn it on for the whole server we used the portal-ext settings --
so that only the urls that HAD to support CORS did.
I am curious, could you try this on your side to see if it allows you to fix your issue without enabling CORS for the entire server?
Thanks for sharing your results and analysis with the community. Too often people post a problem, find a solution but then never update the thread with their findings.
Reading your post though I have a couple of comments .. maybe something for you to try as well if you have a moment
. Changing the web.xml for the ROOT application of course can be done but from experience it leads to problems when you want to upgrade. In particular I have found that with the EE version of the product when I use the patching tool to apply service packs, the changes I have made to the web.xml are lost. The only work around to this I believe... and perhaps you could argue "the purist way" to make such changes is with a *barf* EXT plugin .Having said that, I recently had to enable CORS on an application. In our case it was another app that was iframing content from the Liferay side but regardless, CORS was the issue. Rather than turn it on for the whole server we used the portal-ext settings --
http.header.secure.x.frame.options=true
http.header.secure.x.frame.options.1=<first_url>
http.header.secure.x.frame.opti ons.2=<second_url>
...
</second_url></first_url>so that only the urls that HAD to support CORS did.
I am curious, could you try this on your side to see if it allows you to fix your issue without enabling CORS for the entire server?
Hi Eric,
If I understand you correctly, I think you are asking about using this property to configure a "root" location under which all child urls would follow the same value. I'm not sure about doing that with this option to be honest. In our case we have just a couple of URLs that we wanted to allow the external application to "iframe". I would also advocate that, even if there are 50 or 60 different URLs that you want to allow CORS on, better to specify those 50 or 60 (as painful as that might be) than to open up the server entirely. This is after all not just a pain in the ass, but a security feature
If I understand you correctly, I think you are asking about using this property to configure a "root" location under which all child urls would follow the same value. I'm not sure about doing that with this option to be honest. In our case we have just a couple of URLs that we wanted to allow the external application to "iframe". I would also advocate that, even if there are 50 or 60 different URLs that you want to allow CORS on, better to specify those 50 or 60 (as painful as that might be) than to open up the server entirely. This is after all not just a pain in the ass, but a security feature
I have seen that a bug was opened in 2014 but closed without any modification : https://issues.liferay.com/browse/LPS-46310
However, I have the feeling it was closed for a bad reason. Security on server side is important, indeed. But if no browser can communicate with Liferay, this is an issue... At least my issue so far
However, I have the feeling it was closed for a bad reason. Security on server side is important, indeed. But if no browser can communicate with Liferay, this is an issue... At least my issue so far
Hi Eric,
hmmm I am certainly no security expert but all I can say is that for our case we set a couple of urls on those properties. The urls were in our Liferay application and are being referenced by SalesForce (via IFRAME). Without these properties, the requests were blocked.
I can see only one reference to these properties in the LR codebase -- in the SanitizedServletResponse class. Perhaps if Tomas is kickin' around the forums he could shed some light for us
hmmm I am certainly no security expert but all I can say is that for our case we set a couple of urls on those properties. The urls were in our Liferay application and are being referenced by SalesForce (via IFRAME). Without these properties, the requests were blocked.
I can see only one reference to these properties in the LR codebase -- in the SanitizedServletResponse class. Perhaps if Tomas is kickin' around the forums he could shed some light for us
