Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-75442

Misleading warning User 0 is not allowed to access URL

    Details

      Description

      This is a usability problem with a difficult to diagnose error.

      When trying to authenticate when cookies are disabled, authentication fails with a broken page and the following warning message is written to the logfile:

      [SecurityPortletContainerWrapper:348] User 0 is not allowed to access URL http://SERVER:8080/web/guest/home and portlet com_liferay_login_web_portlet_LoginPortlet

      While login obviously has to fail without cookies, the error message is completely misleading and very confusing.

      Steps to reproduce - User interface

      1. Setup Liferay, confirm that login works
      2. Disable cookies (At least Firefox and Chrome allow you to disable them in the settings)
      3. Try to login
        • Expected result: User is notified that cookies are disabled. Warning message should not appear in logfile.
        • Wrong behavior: Login obviously fails. Logfile contains said message

      The issue is also reproduced in case the Liferay server receives a request from a bot or a program that doesn't handle the session cookies correctly.

      Steps to reproduce - Requesting the login URL

      1. Setup Liferay, confirm that login works
      2. Download following URL using wget or curl:
        • wget "http://localhost:8080/web/guest/home?p_p_id=com_liferay_login_web_portlet_LoginPortlet&p_p_lifecycle=1&p_p_state=normal&p_p_mode=view&_com_liferay_login_web_portlet_LoginPortlet_javax.portlet.action=%2Flogin%2Flogin&_com_liferay_login_web_portlet_LoginPortlet_mvcRenderCommandName=%2Flogin%2Flogin"
        • curl "http://localhost:8080/web/guest/home?p_p_id=com_liferay_login_web_portlet_LoginPortlet&p_p_lifecycle=1&p_p_state=normal&p_p_mode=view&_com_liferay_login_web_portlet_LoginPortlet_javax.portlet.action=%2Flogin%2Flogin&_com_liferay_login_web_portlet_LoginPortlet_mvcRenderCommandName=%2Flogin%2Flogin"
      3. Check the log file:
        • Expected result: There is no warning message in the log file
        • Wrong behavior: The warning message User 0 is not allowed to access URL http://localhost:8080/ and portlet com_liferay_login_web_portlet_LoginPortlet: User 0 did not provide a valid CSRF token for com.liferay.portlet.SecurityPortletContainerWrapper is written to the log file

       

       

        Attachments

          Activity

            People

            Assignee:
            ferenc.onodi Ferenc Onodi (Inactive)
            Reporter:
            crabel Christoph Rabel
            Participants of an Issue:
            Recent user:
            Mariano Álvaro
            Votes:
            10 Vote for this issue
            Watchers:
            10 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Days since last comment:
              47 weeks, 5 days ago

                Packages

                Version Package
                7.0.0 DXP FP102
                7.0.10.16 DXP SP17
                7.0.X
                7.1.10 DXP FP26
                7.1.10.7 SP7
                7.1.X
                7.2.10 DXP FP15
                7.2.X
                7.3.10.3 DXP SP3
                7.3.X
                7.4.2 CE GA3 DXP 7,4
                7.4.13 DXP GA1
                Master