[LPS-133357] Unexpected format for whitelisting JSONWS API paths - Liferay Issues

XML

Word

Printable

Details

Type: Bug
Status: Verified
Resolution: Unresolved
Affects Version/s: 7.3.6 CE GA7, 7.4.0 CE GA1, Master
Fix Version/s: None
Component/s: Portal Configuration, Web Services > JSON WS
Labels:
- usm-qa-review

Fix Priority:
3

Description

According to portal.properties it is expected to list all JSONWS paths you need to whitelist:

    #
    # The property "jsonws.web.service.paths.includes" denotes patterns for JSON
    # web service action paths that are allowed. Set a blank pattern to allow
    # any service action path.
    #
    # Env: LIFERAY_JSONWS_PERIOD_WEB_PERIOD_SERVICE_PERIOD_PATHS_PERIOD_INCLUDES
    #
    jsonws.web.service.paths.includes=

However, if JSONWS paths are namespaced (e.g. those with ddl namespace below), you have to tweak them to be processed correctly. So instead of this:

jsonws.web.service.paths.includes=\
    /announcementsflag/add-flag,\
    /announcementsflag/get-flag,\
    /announcementsflag/delete-flag,\
    /ddl.ddlrecord/add-record,\
    /ddl.ddlrecordset/update-min-display-rows

you have to specify this:

jsonws.web.service.paths.includes=\
    /announcementsflag/add-flag,\
    /announcementsflag/get-flag,\
    /announcementsflag/delete-flag,\
    ddlrecord.ddlrecord/add-record,\
    ddlrecordset.ddlrecordset/update-min-display-rows

It means: without the leading slash and with that namespace replaced with the part after the dot.

It is caused by two mistakes:

The leading character is stripped, but not added back after the namespace is prepended to the context path:
https://github.com/liferay/liferay-portal/blob/874bdcaff61d6290bc627a667d9cf0c8b0a01516/portal-kernel/src/com/liferay/portal/kernel/jsonwebservice/JSONWebServiceNaming.java#L168-L173

public boolean isIncludedPath(String contextPath, String path) {
   String portalContextPath = PortalUtil.getPathContext();

   if (!contextPath.equals(portalContextPath)) {
      path = contextPath + StringPool.PERIOD + path.substring(1);
   }

Instead of the contextName the contextPath is passed so incorrect value is prepended:
https://github.com/liferay/liferay-portal/blob/6d28f4266948e7b0eeb14c3e8d16b3d81e02e8bb/portal-impl/src/com/liferay/portal/jsonwebservice/DefaultJSONWebServiceRegistrator.java#L281-L283

protected void onJSONWebServiceBean(
          String contextName, String contextPath, Object serviceBean, 
          JSONWebService jsonWebService)
   throws Exception {
   ...
   if (!_jsonWebServiceNaming.isIncludedPath(contextPath, path)) {
      continue;
   }

Once namespaced paths are specified in the original form, they disappear from the localhost:8080/api/jsonws and the error is thrown when API is accessed using e.g. curl.

Attachments

Activity

People

Assignee:: SE Support

Reporter:: Jan Tošovský

Participants of an Issue:: Jan Tošovský, Melody Wu, SE Support

Recent user:: Patricia Perez

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 01/Jun/21 3:16 AM

Updated:: 14/Dec/21 9:05 AM

Days since last comment:: 9 weeks ago

Packages

Version	Package