Affects Version/s: 6.1.1 CE GA2, 6.1.20 EE GA2
Portlets that have configured liferay-portlet.xml with the element:
... will allow those portlets to be dynamically added to any page by any user.
For example, a portlet can be dynamically added to a maximized page by specifying it in the URL:
The purpose of the p_p_auth URL parameter is to provide a layer of security that prevents users from adding the p_p_id parameter directly to a URL in their browser.
However, the PortletURLImpl.addPortletAuthToken(StringBundle, Key) method is unnecessarily adding the p_p_auth parameter to URLs for portlets that have add-default-resource=false. As described in
FACES-1435, this causes a problem with ICEfaces when it tries to perform a DOM-diff.
The fix is quite simple – simply put an "if" condition around the code that adds the parameter:
Steps to Reproduce:
1. Start Liferay Portal 6.1.1 CE GA2 on Tomcat
2. Download the attached test1-portlet.war and test2-portlet.war artifacts
3. Copy the wars to the Liferay /deploy folder
4. Create a page called “test1”
5. Add the test1 portlet to the portal page named “test1”
6. Create a page called “test2”
7. Navigate back to the test1 page.
8. Look at the Tomcat console log and look for "INFO" lines from doView that show the value of actionURL, renderURL, and resourceURL.
9. Click on the link in test1-portlet’s step 2, DISMISS the window that pops up.
10. Look at the Tomcat console log again. If
LPS-36481 is fixed, then you should see some "INFO" lines from serveResource. Otherwise, if it is still broken, you will see some "ERROR" lines from serveResource.
11. In order to make sure that existing functionality still works correctly, click on test1-portlet’s link to test2-portlet. If all is well, then the test2-portlet should render without any permission errors (add-default-resource=true).
12. In order to make sure that existing functionality still works correctly click on test1-portlet’s link to test1-portlet. If all is well, then the test1-portlet should not render because you do not have permission to access it (add-default-resource=false).