« Security に戻る

Check Method on Process Action

Introduction #

Liferay Portal 4.4.x features many security updates including the one we will be describing in this wiki. A patch was added to PortletRequestProcessor that requires POST, and disallows GET. This wiki will also show you how to override this feature so that you can use GET.

Security Update #

In Liferay Portal 4.4.x, Liferay added this segment in PortletRequestProcessor.java

 if (action.isCheckMethodOnProcessAction()) {
      if (!PortalUtil.isMethodPost(req)) {
          String currentURL = PortalUtil.getCurrentURL(req);
          if (_log.isWarnEnabled()) {
                _log.warn(
                  "This URL can only be invoked using POST: " +currentURL);				}
            throw new PrincipalException(currentURL);
     }
 }

This is for checking whether the request type is POST and to solve security vulnerabilities. What this means is that GET, by default, is not allowed.

Liferay also added this method in PortalAction.java

 protected boolean isCheckMethodOnProcessAction() {
   return _CHECK_METHOD_ON_PROCESS_ACTION;
 }

By default _CHECK_METHOD_ON_PROCESS_ACTION=true.

Example of using Get and being disallowed by isCheckMethodOnProcessAction():

Segment of the JSP:

 <a href="<portlet:actionURL windowState="<%= WindowState.MAXIMIZED.toString() %>"><portlet:param name="struts_action" value="/ext/authtest/view_authtest/test" /></portlet:actionURL>" >Test</a>

Segment of the Action:

TestAction.java

 public class TestAction  extends PortletAction {
      public ActionForward render(
             ActionMapping mapping, ActionForm form, PortletConfig config,
                       RenderRequest req, RenderResponse res)
                throws Exception {
                     return mapping.findForward("portlet.ext.view_authtest.test");	
        }
 }

When we click the url, there will be the errors below:

 09:11:43,582 WARN  [PortletRequestProcessor:168] This URL can only be invoked us
 ing POST: /web/guest/home?p_p_id=Authtest&p_p_action=1&p_p_state=maximized&p_p_m
 ode=view&p_p_col_id=column-1&_Authtest_struts_action=%2Fext%2Fauthtest%2Ftest
 09:11:43,613 ERROR [jsp:52] com.liferay.portal.security.auth.PrincipalException:
 /web/guest/home?p_p_id=Authtest&p_p_action=1&p_p_state=maximized&p_p_mode=view&
 p_p_col_id=column-1&_Authtest_struts_action=%2Fext%2Fauthtest%2Ftest
   at com.liferay.portal.struts.PortletRequestProcessor.process(PortletRequ
 estProcessor.java:173)
   at com.liferay.portlet.StrutsPortlet.processAction(StrutsPortlet.java:96
 )
 at com.liferay.portlet.CachePortlet._invoke(CachePortlet.java:432)
   at com.liferay.portlet.CachePortlet.processAction(CachePortlet.java:215)

Use GET #

If you override the isCheckMethodOnProcessAction method in your action, the request can be executed correctly:

Segment of TestAction.java

 public class TestAction  extends PortletAction {
     public ActionForward render(
                    ActionMapping mapping, ActionForm form, PortletConfig config,
                       RenderRequest req, RenderResponse res)
                throws Exception {
                   return mapping.findForward("portlet.ext.view_authtest.test");
        }
        @Override
        protected boolean isCheckMethodOnProcessAction() {
              return _CHECK_METHOD_ON_PROCESS_ACTION;
        }
        private static final boolean _CHECK_METHOD_ON_PROCESS_ACTION = false;
 }
0 添付ファイル
38769 参照数
平均 (1 投票)
平均評価は5.0星中の5です。
コメント
コメント 作成者 日時
Thank you. It saved me! Mahdy Khayyamian 2010/04/23 8:02
How would I go about enabling GET with a... Milton Waddams 2010/10/29 10:45
If I have extended ConfigurationAction or... Prakash Khanchandani 2011/04/12 5:14
Hey Prakash Khanchandani, I am having the same... Venkatesh Manam 2014/07/18 13:15

投稿日時:10/04/23 8:02
How would I go about enabling GET with a GenericPortlet being used in Liferay 6.0.5?

It appears that processAction() is does not get triggered with GET. It goes straight to doView().
投稿日時:10/10/29 10:45
If I have extended ConfigurationAction or BasicConfigurationAction, so as to show my page as a pop-up when clicked on the configuration link on the portlet settings icon, then how do I get away from this error: [PortletRequestProcessor:168] This URL can only be invoked using POST.

You help would be greatly appreciated.
投稿日時:11/04/12 5:14
Hey Prakash Khanchandani, I am having the same issue saving the custom port let configuration. Were you able resolve the error? Please share the details if possible.
投稿日時:14/07/18 13:15