Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-133357

Unexpected format for whitelisting JSONWS API paths

    Details

    • Fix Priority:
      3

      Description

      According to portal.properties it is expected to list all JSONWS paths you need to whitelist:

          #
          # The property "jsonws.web.service.paths.includes" denotes patterns for JSON
          # web service action paths that are allowed. Set a blank pattern to allow
          # any service action path.
          #
          # Env: LIFERAY_JSONWS_PERIOD_WEB_PERIOD_SERVICE_PERIOD_PATHS_PERIOD_INCLUDES
          #
          jsonws.web.service.paths.includes=
      

      However, if JSONWS paths are namespaced (e.g. those with ddl namespace below), you have to tweak them to be processed correctly. So instead of this:

      jsonws.web.service.paths.includes=\
          /announcementsflag/add-flag,\
          /announcementsflag/get-flag,\
          /announcementsflag/delete-flag,\
          /ddl.ddlrecord/add-record,\
          /ddl.ddlrecordset/update-min-display-rows
      

      you have to specify this:

      jsonws.web.service.paths.includes=\
          /announcementsflag/add-flag,\
          /announcementsflag/get-flag,\
          /announcementsflag/delete-flag,\
          ddlrecord.ddlrecord/add-record,\
          ddlrecordset.ddlrecordset/update-min-display-rows
      

      It means: without the leading slash and with that namespace replaced with the part after the dot.

      It is caused by two mistakes:

      1. The leading character is stripped, but not added back after the namespace is prepended to the context path:
        https://github.com/liferay/liferay-portal/blob/874bdcaff61d6290bc627a667d9cf0c8b0a01516/portal-kernel/src/com/liferay/portal/kernel/jsonwebservice/JSONWebServiceNaming.java#L168-L173
      public boolean isIncludedPath(String contextPath, String path) {
         String portalContextPath = PortalUtil.getPathContext();
      
         if (!contextPath.equals(portalContextPath)) {
            path = contextPath + StringPool.PERIOD + path.substring(1);
         }
      
      1. Instead of the contextName the contextPath is passed so incorrect value is prepended:
        https://github.com/liferay/liferay-portal/blob/6d28f4266948e7b0eeb14c3e8d16b3d81e02e8bb/portal-impl/src/com/liferay/portal/jsonwebservice/DefaultJSONWebServiceRegistrator.java#L281-L283
      protected void onJSONWebServiceBean(
                String contextName, String contextPath, Object serviceBean, 
                JSONWebService jsonWebService)
         throws Exception {
         ...
         if (!_jsonWebServiceNaming.isIncludedPath(contextPath, path)) {
            continue;
         }
      

      Once namespaced paths are specified in the original form, they disappear from the localhost:8080/api/jsonws and the error is thrown when API is accessed using e.g. curl.

        Attachments

          Activity

            People

            Assignee:
            support-lep@liferay.com SE Support
            Reporter:
            honyk Jan Tošovský
            Participants of an Issue:
            Recent user:
            Patricia Perez
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Dates

              Created:
              Updated:
              Days since last comment:
              9 weeks ago

                Packages

                Version Package