Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-60491

Disabling SecureFilter leaves PrincipalThreadLocal with a null _name, impeding the execution of various use cases.

    Details

    • Branch Version/s:
      6.2.x
    • Backported to Branch:
      Committed
    • Story Points:
      1
    • Fix Priority:
      4

      Description

      According to following comment, SecureFilter must not be disabled due to security reasons, see: https://issues.liferay.com/browse/LPS-60491?focusedCommentId=699220&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-699220

      So original problem was closed as "Won't fix".

      After some internal discussions in this LPS some information at portal.properties file was added:
      Steps to reproduce

      1. Go to tomcat-8.0.32\webapps\ROOT\WEB-INF\lib
      2. Unzip portal-impl.jar file
      3. Open internal portal.properties
      4. Go to com.liferay.portal.servlet.filters.secure.SecureFilter lines:
        • Before LPS-60491 commits: there are no warning about disabling SecureFilter
        • After LPS-60491 commits: following warning is shown
              # Disabling the secure filter seriously compromises Liferay's security. It
              # might be useful for developers to disable the secure filter but it should
              # never be disabled in production. Disabling the secure filter grants read
              # access to many private areas of Liferay but also renders much of Liferay's
              # functionality unusable.
          

      Using com.liferay.portal.servlet.filters.secure.SecureFilter=false makes executing several use cases impossible when user is logged in.

      Steps to reproduce (Original problem, closed as won't fix)

      1. Use com.liferay.portal.servlet.filters.secure.SecureFilter=false on portal-ext.properties
      2. Start Liferay Portal
      3. Log in
      4. Try to add a page to the public pages

      Expected results
      A new public page is added to the site

      Current results
      An error message is shown "You do not have the required permissions".

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Days since last comment:
                  3 years, 21 weeks, 5 days ago

                  Packages

                  Version Package
                  6.2.X EE
                  7.0.0 Alpha 5