Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-133357

Unexpected format for whitelisting JSONWS API paths

Details

    Description

      According to portal.properties it is expected to list all JSONWS paths you need to whitelist:

          #
          # The property "jsonws.web.service.paths.includes" denotes patterns for JSON
          # web service action paths that are allowed. Set a blank pattern to allow
          # any service action path.
          #
          # Env: LIFERAY_JSONWS_PERIOD_WEB_PERIOD_SERVICE_PERIOD_PATHS_PERIOD_INCLUDES
          #
          jsonws.web.service.paths.includes=
      

      However, if JSONWS paths are namespaced (e.g. those with ddl namespace below), you have to tweak them to be processed correctly. So instead of this:

      jsonws.web.service.paths.includes=\
          /announcementsflag/add-flag,\
          /announcementsflag/get-flag,\
          /announcementsflag/delete-flag,\
          /ddl.ddlrecord/add-record,\
          /ddl.ddlrecordset/update-min-display-rows
      

      you have to specify this:

      jsonws.web.service.paths.includes=\
          /announcementsflag/add-flag,\
          /announcementsflag/get-flag,\
          /announcementsflag/delete-flag,\
          ddlrecord.ddlrecord/add-record,\
          ddlrecordset.ddlrecordset/update-min-display-rows
      

      It means: without the leading slash and with that namespace replaced with the part after the dot.

      It is caused by two mistakes:

      1. The leading character is stripped, but not added back after the namespace is prepended to the context path:
        https://github.com/liferay/liferay-portal/blob/874bdcaff61d6290bc627a667d9cf0c8b0a01516/portal-kernel/src/com/liferay/portal/kernel/jsonwebservice/JSONWebServiceNaming.java#L168-L173
      public boolean isIncludedPath(String contextPath, String path) {
         String portalContextPath = PortalUtil.getPathContext();
      
         if (!contextPath.equals(portalContextPath)) {
            path = contextPath + StringPool.PERIOD + path.substring(1);
         }
      
      1. Instead of the contextName the contextPath is passed so incorrect value is prepended:
        https://github.com/liferay/liferay-portal/blob/6d28f4266948e7b0eeb14c3e8d16b3d81e02e8bb/portal-impl/src/com/liferay/portal/jsonwebservice/DefaultJSONWebServiceRegistrator.java#L281-L283
      protected void onJSONWebServiceBean(
                String contextName, String contextPath, Object serviceBean, 
                JSONWebService jsonWebService)
         throws Exception {
         ...
         if (!_jsonWebServiceNaming.isIncludedPath(contextPath, path)) {
            continue;
         }
      

      Once namespaced paths are specified in the original form, they disappear from the localhost:8080/api/jsonws and the error is thrown when API is accessed using e.g. curl.

      Attachments

        Issue Links

          Activity

            People

              gabor.lovas Gábor Lovas
              honyk Jan Tošovský
              Enterprise Release HU Enterprise Release HU
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                10 weeks ago

                Packages

                  Version Package
                  7.3.10 DXP U18
                  7.3.X
                  7.4.13 DXP U54
                  7.4.3.54 CE GA54
                  Master