掲示板

JSF portlet, friendly url call, processAction problem

7年前 に Gunnar Brinkmann によって更新されました。

JSF portlet, friendly url call, processAction problem

Junior Member 投稿: 53 参加年月日: 11/12/02 最新の投稿
Hello.

The goal: Call a liferay page "manually" (URL input or a href elsewhere) via friendly url and trigger portlet code on that page to load data.

Example: http://host/site/page/-/mapping/1234567890/load

Versions are: bridge 4.2.5-ga6 on 6.2 EE SP14 with primefaces 5.2 / mojarra 2.2.12

What I've managed so far:

"processAction" in my custom portlet class is executed and ParamUtil.getLong(actionRequest, ... is successful, I get the value "1234567890".

But I want my controller method (annotated with "ProcessAction") to be fired, this is not working a.t.m.

The controller is session scoped and annotated via javax (not via spring)

...
@ManagedBean
@SessionScoped
public class EditorController
{
...
    @ProcessAction(name="loadApplicationNumber")
    public void loadApplicationNumber(ActionRequest actionRequest, ActionResponse actionResponse)
    {
...

In my route configuration I tried both implicit-parameter "action" and "javax.portlet.action", no success.

...
<route>
        <pattern>/{applicationNumber:\d+}/load</pattern>
        <implicit-parameter name="p_p_lifecycle">1</implicit-parameter>
        <implicit-parameter name="javax.portlet.action">loadApplicationNumber</implicit-parameter>
    </route>
...

What am I missing?

Regards,
Gunnar

edit: added "SP14"
another edit: added "mapping"
thumbnail
7年前 に Kyle Joseph Stiemann によって更新されました。

RE: JSF portlet, friendly url call, processAction problem

Liferay Master 投稿: 760 参加年月日: 13/01/14 最新の投稿
Hi Gunnar,
Liferay Faces did not support FriendlyURLs for ActionURLs in GA6. We've recently completed FACES-2654, so you'll be able to rely on this feature in future releases.

However, you should consider that ActionURLs have the p_auth parameter included on them to prevent Cross Site Request Forgery (CSRF). This makes it difficult to create FriendlyURLs for actions because the URL contains a random token. You can turn off the p_auth parameter by setting auth.token.check.enabled=false in your portal-ext.properties file, but that will also turn off (CSRF) protection. So be sure to consider all that when using this feature.

Also @ProcessAction is part of the porlet API, so it's not really a good idea to include it in a JSF Managed Bean. It's probably more appropriate to add this method to an implementation of Portlet.

- Kyle
7年前 に Gunnar Brinkmann によって更新されました。

RE: JSF portlet, friendly url call, processAction problem

Junior Member 投稿: 53 参加年月日: 11/12/02 最新の投稿
Hi Kyle.

Kyle Joseph Stiemann:
Hi Gunnar,
Liferay Faces did not support FriendlyURLs for ActionURLs in GA6. We've recently completed FACES-2654, so you'll be able to rely on this feature in future releases.


ok, thank you.


However, you should consider that ActionURLs have the p_auth parameter included on them to prevent Cross Site Request Forgery (CSRF). This makes it difficult to create FriendlyURLs for actions because the URL contains a random token. You can turn off the p_auth parameter by setting auth.token.check.enabled=false in your portal-ext.properties file, but that will also turn off (CSRF) protection. So be sure to consider all that when using this feature.


Yes, instead of turning security off I've added my portlet namespace in portal-ext.properties

auth.token.ignore.portlets=82,myportletnamespace

I'm expecting the Liferay page is still secured this way?
After that change I managed to land in "processAction" and could extract my friendly URL parameter value.
Before I got the "reject process action error".


Also @ProcessAction is part of the porlet API, so it's not really a good idea to include it in a JSF Managed Bean. It's probably more appropriate to add this method to an implementation of Portlet.


Why should I do that, since I already managed to land in my custom portlet class' overridden "processAction" method? emoticon


- Kyle


Ok, maybe Portlet#processAction is enough and I'll try to transfer the value from Portlet to managed beans.

Thanks, regards and a great weekend,
Gunnar

edit: corrected properties filename
thumbnail
7年前 に Kyle Joseph Stiemann によって更新されました。

RE: JSF portlet, friendly url call, processAction problem

Liferay Master 投稿: 760 参加年月日: 13/01/14 最新の投稿
Gunnar Brinkmann:
Hi Kyle.

However, you should consider that ActionURLs have the p_auth parameter included on them to prevent Cross Site Request Forgery (CSRF). This makes it difficult to create FriendlyURLs for actions because the URL contains a random token. You can turn off the p_auth parameter by setting auth.token.check.enabled=false in your portal-ext.properties file, but that will also turn off (CSRF) protection. So be sure to consider all that when using this feature.


Yes, instead of turning security off I've added my portlet namespace in portal-ext.properties

auth.token.ignore.portlets=82,myportletnamespace

I'm expecting the Liferay page is still secured this way?

Yes, I think all the portlets besides 82 and myportletnamespace would use the p_auth feature as security against CSRF. Just make sure you know what you are doing when disabling p_auth for those portlets emoticon. You could also consider disabling p_auth for certain actions via auth.token.ignore.portlets. That would be more fine-grained. See OWASP's CSRF article for more details about CSRF.

- Kyle