掲示板
JSF portlet, friendly url call, processAction problem
7年前 に Gunnar Brinkmann によって更新されました。
JSF portlet, friendly url call, processAction problem
Junior Member 投稿: 53 参加年月日: 11/12/02 最新の投稿
Hello.
The goal: Call a liferay page "manually" (URL input or a href elsewhere) via friendly url and trigger portlet code on that page to load data.
Example: http://host/site/page/-/mapping/1234567890/load
Versions are: bridge 4.2.5-ga6 on 6.2 EE SP14 with primefaces 5.2 / mojarra 2.2.12
What I've managed so far:
"processAction" in my custom portlet class is executed and ParamUtil.getLong(actionRequest, ... is successful, I get the value "1234567890".
But I want my controller method (annotated with "ProcessAction") to be fired, this is not working a.t.m.
The controller is session scoped and annotated via javax (not via spring)
In my route configuration I tried both implicit-parameter "action" and "javax.portlet.action", no success.
What am I missing?
Regards,
Gunnar
edit: added "SP14"
another edit: added "mapping"
The goal: Call a liferay page "manually" (URL input or a href elsewhere) via friendly url and trigger portlet code on that page to load data.
Example: http://host/site/page/-/mapping/1234567890/load
Versions are: bridge 4.2.5-ga6 on 6.2 EE SP14 with primefaces 5.2 / mojarra 2.2.12
What I've managed so far:
"processAction" in my custom portlet class is executed and ParamUtil.getLong(actionRequest, ... is successful, I get the value "1234567890".
But I want my controller method (annotated with "ProcessAction") to be fired, this is not working a.t.m.
The controller is session scoped and annotated via javax (not via spring)
...
@ManagedBean
@SessionScoped
public class EditorController
{
...
@ProcessAction(name="loadApplicationNumber")
public void loadApplicationNumber(ActionRequest actionRequest, ActionResponse actionResponse)
{
...
In my route configuration I tried both implicit-parameter "action" and "javax.portlet.action", no success.
...
<route>
<pattern>/{applicationNumber:\d+}/load</pattern>
<implicit-parameter name="p_p_lifecycle">1</implicit-parameter>
<implicit-parameter name="javax.portlet.action">loadApplicationNumber</implicit-parameter>
</route>
...
What am I missing?
Regards,
Gunnar
edit: added "SP14"
another edit: added "mapping"
7年前 に Kyle Joseph Stiemann によって更新されました。
RE: JSF portlet, friendly url call, processAction problem
Liferay Master 投稿: 760 参加年月日: 13/01/14 最新の投稿
Hi Gunnar,
Liferay Faces did not support FriendlyURLs for ActionURLs in GA6. We've recently completed FACES-2654, so you'll be able to rely on this feature in future releases.
However, you should consider that ActionURLs have the p_auth parameter included on them to prevent Cross Site Request Forgery (CSRF). This makes it difficult to create FriendlyURLs for actions because the URL contains a random token. You can turn off the p_auth parameter by setting auth.token.check.enabled=false in your portal-ext.properties file, but that will also turn off (CSRF) protection. So be sure to consider all that when using this feature.
Also @ProcessAction is part of the porlet API, so it's not really a good idea to include it in a JSF Managed Bean. It's probably more appropriate to add this method to an implementation of Portlet.
- Kyle
Liferay Faces did not support FriendlyURLs for ActionURLs in GA6. We've recently completed FACES-2654, so you'll be able to rely on this feature in future releases.
However, you should consider that ActionURLs have the p_auth parameter included on them to prevent Cross Site Request Forgery (CSRF). This makes it difficult to create FriendlyURLs for actions because the URL contains a random token. You can turn off the p_auth parameter by setting auth.token.check.enabled=false in your portal-ext.properties file, but that will also turn off (CSRF) protection. So be sure to consider all that when using this feature.
Also @ProcessAction is part of the porlet API, so it's not really a good idea to include it in a JSF Managed Bean. It's probably more appropriate to add this method to an implementation of Portlet.
- Kyle
7年前 に Gunnar Brinkmann によって更新されました。
RE: JSF portlet, friendly url call, processAction problem
Junior Member 投稿: 53 参加年月日: 11/12/02 最新の投稿
Hi Kyle.
ok, thank you.
Yes, instead of turning security off I've added my portlet namespace in portal-ext.properties
I'm expecting the Liferay page is still secured this way?
After that change I managed to land in "processAction" and could extract my friendly URL parameter value.
Before I got the "reject process action error".
Why should I do that, since I already managed to land in my custom portlet class' overridden "processAction" method?
Ok, maybe Portlet#processAction is enough and I'll try to transfer the value from Portlet to managed beans.
Thanks, regards and a great weekend,
Gunnar
edit: corrected properties filename
Kyle Joseph Stiemann:
Hi Gunnar,
Liferay Faces did not support FriendlyURLs for ActionURLs in GA6. We've recently completed FACES-2654, so you'll be able to rely on this feature in future releases.
ok, thank you.
However, you should consider that ActionURLs have the p_auth parameter included on them to prevent Cross Site Request Forgery (CSRF). This makes it difficult to create FriendlyURLs for actions because the URL contains a random token. You can turn off the p_auth parameter by setting auth.token.check.enabled=false in your portal-ext.properties file, but that will also turn off (CSRF) protection. So be sure to consider all that when using this feature.
Yes, instead of turning security off I've added my portlet namespace in portal-ext.properties
auth.token.ignore.portlets=82,myportletnamespace
I'm expecting the Liferay page is still secured this way?
After that change I managed to land in "processAction" and could extract my friendly URL parameter value.
Before I got the "reject process action error".
Also @ProcessAction is part of the porlet API, so it's not really a good idea to include it in a JSF Managed Bean. It's probably more appropriate to add this method to an implementation of Portlet.
Why should I do that, since I already managed to land in my custom portlet class' overridden "processAction" method?
- Kyle
Ok, maybe Portlet#processAction is enough and I'll try to transfer the value from Portlet to managed beans.
Thanks, regards and a great weekend,
Gunnar
edit: corrected properties filename
7年前 に Kyle Joseph Stiemann によって更新されました。
RE: JSF portlet, friendly url call, processAction problem
Liferay Master 投稿: 760 参加年月日: 13/01/14 最新の投稿Gunnar Brinkmann:
Hi Kyle.
However, you should consider that ActionURLs have the p_auth parameter included on them to prevent Cross Site Request Forgery (CSRF). This makes it difficult to create FriendlyURLs for actions because the URL contains a random token. You can turn off the p_auth parameter by setting auth.token.check.enabled=false in your portal-ext.properties file, but that will also turn off (CSRF) protection. So be sure to consider all that when using this feature.
Yes, instead of turning security off I've added my portlet namespace in portal-ext.propertiesauth.token.ignore.portlets=82,myportletnamespace
I'm expecting the Liferay page is still secured this way?
Yes, I think all the portlets besides 82 and myportletnamespace would use the p_auth feature as security against CSRF. Just make sure you know what you are doing when disabling p_auth for those portlets . You could also consider disabling p_auth for certain actions via auth.token.ignore.portlets. That would be more fine-grained. See OWASP's CSRF article for more details about CSRF.
- Kyle