« 返回到 Security

Check Method on Process Action

Introduction #

Liferay Portal 4.4.x features many security updates including the one we will be describing in this wiki. A patch was added to PortletRequestProcessor that requires POST, and disallows GET. This wiki will also show you how to override this feature so that you can use GET.

Security Update #

In Liferay Portal 4.4.x, Liferay added this segment in PortletRequestProcessor.java

 if (action.isCheckMethodOnProcessAction()) {
      if (!PortalUtil.isMethodPost(req)) {
          String currentURL = PortalUtil.getCurrentURL(req);
          if (_log.isWarnEnabled()) {
                _log.warn(
                  "This URL can only be invoked using POST: " +currentURL);				}
            throw new PrincipalException(currentURL);
     }
 }

This is for checking whether the request type is POST and to solve security vulnerabilities. What this means is that GET, by default, is not allowed.

Liferay also added this method in PortalAction.java

 protected boolean isCheckMethodOnProcessAction() {
   return _CHECK_METHOD_ON_PROCESS_ACTION;
 }

By default _CHECK_METHOD_ON_PROCESS_ACTION=true.

Example of using Get and being disallowed by isCheckMethodOnProcessAction():

Segment of the JSP:

 <a href="<portlet:actionURL windowState="<%= WindowState.MAXIMIZED.toString() %>"><portlet:param name="struts_action" value="/ext/authtest/view_authtest/test" /></portlet:actionURL>" >Test</a>

Segment of the Action:

TestAction.java

 public class TestAction  extends PortletAction {
      public ActionForward render(
             ActionMapping mapping, ActionForm form, PortletConfig config,
                       RenderRequest req, RenderResponse res)
                throws Exception {
                     return mapping.findForward("portlet.ext.view_authtest.test");	
        }
 }

When we click the url, there will be the errors below:

 09:11:43,582 WARN  [PortletRequestProcessor:168] This URL can only be invoked us
 ing POST: /web/guest/home?p_p_id=Authtest&p_p_action=1&p_p_state=maximized&p_p_m
 ode=view&p_p_col_id=column-1&_Authtest_struts_action=%2Fext%2Fauthtest%2Ftest
 09:11:43,613 ERROR [jsp:52] com.liferay.portal.security.auth.PrincipalException:
 /web/guest/home?p_p_id=Authtest&p_p_action=1&p_p_state=maximized&p_p_mode=view&
 p_p_col_id=column-1&_Authtest_struts_action=%2Fext%2Fauthtest%2Ftest
   at com.liferay.portal.struts.PortletRequestProcessor.process(PortletRequ
 estProcessor.java:173)
   at com.liferay.portlet.StrutsPortlet.processAction(StrutsPortlet.java:96
 )
 at com.liferay.portlet.CachePortlet._invoke(CachePortlet.java:432)
   at com.liferay.portlet.CachePortlet.processAction(CachePortlet.java:215)

Use GET #

If you override the isCheckMethodOnProcessAction method in your action, the request can be executed correctly:

Segment of TestAction.java

 public class TestAction  extends PortletAction {
     public ActionForward render(
                    ActionMapping mapping, ActionForm form, PortletConfig config,
                       RenderRequest req, RenderResponse res)
                throws Exception {
                   return mapping.findForward("portlet.ext.view_authtest.test");
        }
        @Override
        protected boolean isCheckMethodOnProcessAction() {
              return _CHECK_METHOD_ON_PROCESS_ACTION;
        }
        private static final boolean _CHECK_METHOD_ON_PROCESS_ACTION = false;
 }
0 附件
38760 查看
平均 (1 投票)
满分为 5,平均得分为 5.0。
评论
讨论主题回复 作者 日期
Thank you. It saved me! Mahdy Khayyamian 2010年4月23日 上午8:02
How would I go about enabling GET with a... Milton Waddams 2010年10月29日 上午10:45
If I have extended ConfigurationAction or... Prakash Khanchandani 2011年4月12日 上午5:14
Hey Prakash Khanchandani, I am having the same... Venkatesh Manam 2014年7月18日 下午1:15

在 10-4-23 上午8:02 发帖。
How would I go about enabling GET with a GenericPortlet being used in Liferay 6.0.5?

It appears that processAction() is does not get triggered with GET. It goes straight to doView().
在 10-10-29 上午10:45 发帖。
If I have extended ConfigurationAction or BasicConfigurationAction, so as to show my page as a pop-up when clicked on the configuration link on the portlet settings icon, then how do I get away from this error: [PortletRequestProcessor:168] This URL can only be invoked using POST.

You help would be greatly appreciated.
在 11-4-12 上午5:14 发帖。
Hey Prakash Khanchandani, I am having the same issue saving the custom port let configuration. Were you able resolve the error? Please share the details if possible.
在 14-7-18 下午1:15 发帖。