Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-36481

The p_p_auth parameter is unnecessarily added to URLs for portlets that have add-default-resource=false

    Details

      Description

      Portlets that have configured liferay-portlet.xml with the element:

      <add-default-resource>true</add-default-resource>

      ... will allow those portlets to be dynamically added to any page by any user.

      For example, a portlet can be dynamically added to a maximized page by specifying it in the URL:

      http://localhost:8080/web/guest/home?p_p_id=fooportlet_WAR_fooportlet?p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&p_p_auth=H343ef

      The purpose of the p_p_auth URL parameter is to provide a layer of security that prevents users from adding the p_p_id parameter directly to a URL in their browser.

      However, the PortletURLImpl.addPortletAuthToken(StringBundle, Key) method is unnecessarily adding the p_p_auth parameter to URLs for portlets that have add-default-resource=false. As described in FACES-1435, this causes a problem with ICEfaces when it tries to perform a DOM-diff.

      The fix is quite simple – simply put an "if" condition around the code that adds the parameter:

      if (_portlet.isAddDefaultResource()) {
      	sb.append("p_p_auth");
      	sb.append(StringPool.EQUAL);
      	sb.append(processValue(key, actualPortletAuthenticationToken));
      	sb.append(StringPool.AMPERSAND);
      }
      

      Steps to Reproduce:
      1. Start Liferay Portal 6.1.1 CE GA2 on Tomcat
      2. Download the attached test1-portlet.war and test2-portlet.war artifacts
      3. Copy the wars to the Liferay /deploy folder
      4. Create a page called “test1”
      5. Add the test1 portlet to the portal page named “test1”
      6. Create a page called “test2”
      7. Navigate back to the test1 page.
      8. Look at the Tomcat console log and look for "INFO" lines from doView that show the value of actionURL, renderURL, and resourceURL.
      9. Click on the link in test1-portlet’s step 2, DISMISS the window that pops up.
      10. Look at the Tomcat console log again. If LPS-36481 is fixed, then you should see some "INFO" lines from serveResource. Otherwise, if it is still broken, you will see some "ERROR" lines from serveResource.
      11. In order to make sure that existing functionality still works correctly, click on test1-portlet’s link to test2-portlet. If all is well, then the test2-portlet should render without any permission errors (add-default-resource=true).
      12. In order to make sure that existing functionality still works correctly click on test1-portlet’s link to test1-portlet. If all is well, then the test1-portlet should not render because you do not have permission to access it (add-default-resource=false).

        Attachments

        1. test1-portlet.zip
          12 kB
        2. test1-portlet-1.0.war
          9 kB
        3. test2-portlet.zip
          12 kB
        4. test2-portlet-1.0.war
          6 kB

          Issue Links

            Activity

              People

              Assignee:
              mark.jin Mark Jin (Inactive)
              Reporter:
              neil.griffin Neil Griffin
              Participants of an Issue:
              Recent user:
              Esther Sanz
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Days since last comment:
                7 years, 37 weeks ago

                  Packages

                  Version Package
                  6.1.30 EE GA3
                  6.2.0 CE B1