Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-24160

ServiceContextFactory can result in an error if some SSO implementation provides a remoteUser value that doesn't coincide with a Liferay userId

    Details

      Description

      What can happen is that an SSO may pass authorization headers that Liferay may interpret as being real userId value, but really a further check by a custom implementation of AutoLogin needs to use this value to resolve it against some external system.

      For this reason we have to make sure that the ServiceContextFactory which is deliberately executed inside of AbsoluteRedirectsFilter (so that we always have a ServiceContext) does not result in an error when seeing the foreign value.

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Days since last comment:
                7 years, 39 weeks ago

                Packages

                Version Package
                6.0.X EE
                6.1.0 CE RC1