Uploaded image for project: 'PUBLIC - Liferay Portal Enterprise Edition'
  1. PUBLIC - Liferay Portal Enterprise Edition
  2. LPE-2393

Added ability to limit MVCPortlet to a specific path

    Details

      Description

      Suppose there are multiple portlets in one portlet WAR. For example, the first portlet could contain a set of JSPs in /basic/ and a second portlet contains a set of JSPs in /admin/.

      Currently, it is up to the portlet developer to ensure that a user who has access to the basic portlet does not change the "jspPage" parameter to point to a JSP page in the /admin/ path. To prevent that from happening, a lot of manual coding is required and defeats the purpose of using the MVC Portlet.

      This update adds the ability to limit a portlet to a particular path by setting a "jsp-path" init parameter in portlet.xml. For example, setting the basic portlet's jsp-path to "/basic/", will ensure that the basic portlet cannot call any other JSP except what is in the /basic/ path. It also detects ".." and other hacks to prevent a malicious user from circumventing this.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              sophia.zhang Sophia Zhang
              Reporter:
              brian.chan Brian Chan
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Packages

                  Version Package
                  5.1 EE SP6 (5.1.9)
                  5.2 EE SP4 (5.2.8)