Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-75442

Misleading warning User 0 is not allowed to access URL

    Details

      Description

      This is a usability problem with a difficult to diagnose error.

      When trying to authenticate when cookies are disabled, authentication fails with a broken page and the following warning message is written to the logfile:

      [SecurityPortletContainerWrapper:348] User 0 is not allowed to access URL http://SERVER:8080/web/guest/home and portlet com_liferay_login_web_portlet_LoginPortlet

      While login obviously has to fail without cookies, the error message is completely misleading and very confusing.

      Steps to reproduce - User interface

      1. Setup Liferay, confirm that login works
      2. Disable cookies (At least Firefox and Chrome allow you to disable them in the settings)
      3. Try to login
        • Expected result: User is notified that cookies are disabled. Warning message should not appear in logfile.
        • Wrong behavior: Login obviously fails. Logfile contains said message

      The issue is also reproduced in case the Liferay server receives a request from a bot or a program that doesn't handle the session cookies correctly.

      Steps to reproduce - Requesting the login URL

      1. Setup Liferay, confirm that login works
      2. Download following URL using wget or curl:
        • wget "http://localhost:8080/web/guest/home?p_p_id=com_liferay_login_web_portlet_LoginPortlet&p_p_lifecycle=1&p_p_state=normal&p_p_mode=view&_com_liferay_login_web_portlet_LoginPortlet_javax.portlet.action=%2Flogin%2Flogin&_com_liferay_login_web_portlet_LoginPortlet_mvcRenderCommandName=%2Flogin%2Flogin"
        • curl "http://localhost:8080/web/guest/home?p_p_id=com_liferay_login_web_portlet_LoginPortlet&p_p_lifecycle=1&p_p_state=normal&p_p_mode=view&_com_liferay_login_web_portlet_LoginPortlet_javax.portlet.action=%2Flogin%2Flogin&_com_liferay_login_web_portlet_LoginPortlet_mvcRenderCommandName=%2Flogin%2Flogin"
      3. Check the log file:
        • Expected result: There is no warning message in the log file
        • Wrong behavior: The warning message User 0 is not allowed to access URL http://localhost:8080/ and portlet com_liferay_login_web_portlet_LoginPortlet: User 0 did not provide a valid CSRF token for com.liferay.portlet.SecurityPortletContainerWrapper is written to the log file

       

       

        Attachments

          Activity

            People

            Assignee:
            ferenc.onodi Ferenc Onodi
            Reporter:
            crabel Christoph Rabel
            Participants of an Issue:
            Recent user:
            Tomáš Polešovský
            Votes:
            10 Vote for this issue
            Watchers:
            10 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Days since last comment:
              13 weeks, 3 days ago

                Packages

                Version Package
                7.2.X
                7.3.X
                7.4.2 CE GA3 DXP 7,4
                Master