This wiki does not contain official documentation and is currently deprecated and read only. Please try reading the documentation on the Liferay Developer Network, the new site dedicated to Liferay documentation. DISCOVER Build your web site, collaborate with your colleagues, manage your content, and more. DEVELOP Build applications that run inside Liferay, extend the features provided out of the box with Liferay's APIs. DISTRIBUTE Let the world know about your app by publishing it in Liferay's marketplace. PARTICIPATE Become a part of Liferay's community, meet other Liferay users, and get involved in the open source project. Check Method on Process Action
Table of Contents [-]
Introduction #
Liferay Portal 4.4.x features many security updates including the one we will be describing in this wiki. A patch was added to PortletRequestProcessor that requires POST, and disallows GET. This wiki will also show you how to override this feature so that you can use GET.
Security Update #
In Liferay Portal 4.4.x, Liferay added this segment in PortletRequestProcessor.java
if (action.isCheckMethodOnProcessAction()) {
if (!PortalUtil.isMethodPost(req)) {
String currentURL = PortalUtil.getCurrentURL(req);
if (_log.isWarnEnabled()) {
_log.warn(
"This URL can only be invoked using POST: " +currentURL); }
throw new PrincipalException(currentURL);
}
}This is for checking whether the request type is POST and to solve security vulnerabilities. What this means is that GET, by default, is not allowed.
Liferay also added this method in PortalAction.java
protected boolean isCheckMethodOnProcessAction() {
return _CHECK_METHOD_ON_PROCESS_ACTION;
}By default _CHECK_METHOD_ON_PROCESS_ACTION=true.
Example of using Get and being disallowed by isCheckMethodOnProcessAction():
Segment of the JSP:
<a href="<portlet:actionURL windowState="<%= WindowState.MAXIMIZED.toString() %>"><portlet:param name="struts_action" value="/ext/authtest/view_authtest/test" /></portlet:actionURL>" >Test</a>
Segment of the Action:
TestAction.java
public class TestAction extends PortletAction {
public ActionForward render(
ActionMapping mapping, ActionForm form, PortletConfig config,
RenderRequest req, RenderResponse res)
throws Exception {
return mapping.findForward("portlet.ext.view_authtest.test");
}
}When we click the url, there will be the errors below:
09:11:43,582 WARN [PortletRequestProcessor:168] This URL can only be invoked us ing POST: /web/guest/home?p_p_id=Authtest&p_p_action=1&p_p_state=maximized&p_p_m ode=view&p_p_col_id=column-1&_Authtest_struts_action=%2Fext%2Fauthtest%2Ftest 09:11:43,613 ERROR [jsp:52] com.liferay.portal.security.auth.PrincipalException: /web/guest/home?p_p_id=Authtest&p_p_action=1&p_p_state=maximized&p_p_mode=view& p_p_col_id=column-1&_Authtest_struts_action=%2Fext%2Fauthtest%2Ftest at com.liferay.portal.struts.PortletRequestProcessor.process(PortletRequ estProcessor.java:173) at com.liferay.portlet.StrutsPortlet.processAction(StrutsPortlet.java:96 ) at com.liferay.portlet.CachePortlet._invoke(CachePortlet.java:432) at com.liferay.portlet.CachePortlet.processAction(CachePortlet.java:215)
Use GET #
If you override the isCheckMethodOnProcessAction method in your action, the request can be executed correctly:
Segment of TestAction.java
public class TestAction extends PortletAction {
public ActionForward render(
ActionMapping mapping, ActionForm form, PortletConfig config,
RenderRequest req, RenderResponse res)
throws Exception {
return mapping.findForward("portlet.ext.view_authtest.test");
}
@Override
protected boolean isCheckMethodOnProcessAction() {
return _CHECK_METHOD_ON_PROCESS_ACTION;
}
private static final boolean _CHECK_METHOD_ON_PROCESS_ACTION = false;
} 