[LPS-75442] Misleading warning User 0 is not allowed to access URL - Liferay Issues

XML

Word

Printable

Details

Type: Bug
Status: Closed
Resolution: Fixed
Affects Version/s: 7.0.0 DXP FP32, 7.0.X, Master
Fix Version/s: 7.0.0 DXP FP102, 7.0.10.16 DXP SP17, 7.0.X, 7.1.10 DXP FP26, 7.1.10.7 SP7, 7.1.X, 7.2.10 DXP FP15, 7.2.X, 7.3.10.3 DXP SP3, 7.3.X, 7.4.2 CE GA3, 7.4.13 DXP GA1, Master
Component/s: Application Security > Login/Sign in Portlet
Labels:

Branch Version/s:

7.3.x, 7.2.x, 7.1.x, 7.0.x
Backported to Branch:

Committed
Story Points:
3
Fix Priority:
3
Git Pull Request:
https://github.com/brianchandotcom/liferay-portal/pull/103012

Description

This is a usability problem with a difficult to diagnose error.

When trying to authenticate when cookies are disabled, authentication fails with a broken page and the following warning message is written to the logfile:

[SecurityPortletContainerWrapper:348] User 0 is not allowed to access URL http://SERVER:8080/web/guest/home and portlet com_liferay_login_web_portlet_LoginPortlet

While login obviously has to fail without cookies, the error message is completely misleading and very confusing.

Steps to reproduce - User interface

Setup Liferay, confirm that login works
Disable cookies (At least Firefox and Chrome allow you to disable them in the settings)
Try to login
- Expected result: User is notified that cookies are disabled. Warning message should not appear in logfile.
- Wrong behavior: Login obviously fails. Logfile contains said message

The issue is also reproduced in case the Liferay server receives a request from a bot or a program that doesn't handle the session cookies correctly.

Steps to reproduce - Requesting the login URL

Setup Liferay, confirm that login works

Download following URL using wget or curl:

wget "http://localhost:8080/web/guest/home?p_p_id=com_liferay_login_web_portlet_LoginPortlet&p_p_lifecycle=1&p_p_state=normal&p_p_mode=view&_com_liferay_login_web_portlet_LoginPortlet_javax.portlet.action=%2Flogin%2Flogin&_com_liferay_login_web_portlet_LoginPortlet_mvcRenderCommandName=%2Flogin%2Flogin"

curl "http://localhost:8080/web/guest/home?p_p_id=com_liferay_login_web_portlet_LoginPortlet&p_p_lifecycle=1&p_p_state=normal&p_p_mode=view&_com_liferay_login_web_portlet_LoginPortlet_javax.portlet.action=%2Flogin%2Flogin&_com_liferay_login_web_portlet_LoginPortlet_mvcRenderCommandName=%2Flogin%2Flogin"

Check the log file:
- Expected result: There is no warning message in the log file
- Wrong behavior: The warning message User 0 is not allowed to access URL http://localhost:8080/ and portlet com_liferay_login_web_portlet_LoginPortlet: User 0 did not provide a valid CSRF token for com.liferay.portlet.SecurityPortletContainerWrapper is written to the log file

Attachments

Activity

People

Assignee:: Ferenc Onodi (Inactive)

Reporter:: Christoph Rabel

Participants of an Issue:: Christoph Rabel, Ferenc Onodi, Summer Zhang

Recent user:: Kiyoshi Lee

Votes:: 10 Vote for this issue

Watchers:: 10 Start watching this issue

Dates

Created:: 24/Oct/17 2:51 AM

Updated:: 13/Sep/22 1:03 AM

Resolved:: 10/Jun/21 9:42 AM

Days since last comment:: 1 year, 50 weeks ago

Packages

Version	Package
7.0.0 DXP FP102
7.0.10.16 DXP SP17
7.0.X
7.1.10 DXP FP26
7.1.10.7 SP7
7.1.X
7.2.10 DXP FP15
7.2.X
7.3.10.3 DXP SP3
7.3.X
7.4.2 CE GA3	DXP 7,4
7.4.13 DXP GA1
Master