Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-79249

portal.properties file implies the usability of non-existent auth.verifier.TunnelingServletAuthVerifier.* properties

    Details

      Description

      Description
      In the portal.properties file, there is a segment explaining that you can have properties specific to each AuthVerifier object by prefixing ".hosts.allowed" and ".url.includes" with the AuthVerifier's class name:

      ##
      ## Authentication Verifier
      ##
      
          #
          # Input a list of comma delimited class names that implement
          # com.liferay.portal.security.auth.AuthVerifier. These classes are used to
          # verify whether a request is authenticated or not.
          #
          # This property is not read by the portal except for portal properties
          # overridden by liferay-hook.xml. It remains here only as a reference.
          #
          #auth.verifier.pipeline=com.liferay.portal.security.auth.verifier.basic.auth.header.BasicAuthHeaderAuthVerifier,com.liferay.portal.security.auth.verifier.DigestAuthenticationAuthVerifier,com.liferay.portal.security.auth.verifier.request.parameter.RequestParameterAuthVerifier,com.liferay.portal.security.auth.verifier.PortalSessionAuthVerifier,com.liferay.portal.security.auth.verifier.TunnelingServletAuthVerifier
      
          #
          # Each authentication verifier can have custom properties set via the
          # property prefix "auth.verifier." and the authentication verifier's simple
          # class name. All property suffixes are stripped of their prefix and passed
          # directly to the authentication verifier. For example, the property
          # "auth.verifier.BasicAuthHeaderAuthVerifier.hosts.allowed" is passed to
          # BasicAuthHeaderAuthVerifier as "hosts.allowed".
          #
          # The expected property suffixes are "hosts.allowed" and "urls". See the
          # property "json.service.auth.token.hosts.allowed" for the accepted values
          # for the property suffix "hosts.allowed".
          #
          # The property suffix "urls.includes" denotes the valid URLs that apply to
          # an authentication verifier.
          #
          # The property suffix "urls.excludes" denotes URLs that will not be handled
          # even if they match the patterns set in "urls.includes".
          #
      
          #
          # BasicAuthHeaderAuthVerifier
          #
          #auth.verifier.BasicAuthHeaderAuthVerifier.hosts.allowed=
          #auth.verifier.BasicAuthHeaderAuthVerifier.urls.includes=/api/*,/xmlrpc/*
          #auth.verifier.BasicAuthHeaderAuthVerifier.urls.excludes=/api/liferay/do
      
          #
          # DigestAuthenticationAuthVerifier
          #
          #auth.verifier.DigestAuthenticationAuthVerifier.hosts.allowed=
          #auth.verifier.DigestAuthenticationAuthVerifier.urls.includes=N/A
      
          #
          # PortalSessionAuthVerifier
          #
          #auth.verifier.PortalSessionAuthVerifier.hosts.allowed=
          #auth.verifier.PortalSessionAuthVerifier.urls.includes=\
          #    /api/json/*,\
          #    /api/jsonws/*,\
          #    /c/portal/json_service/*
      
          #
          # RequestParameterAuthVerifier
          #
          #auth.verifier.RequestParameterAuthVerifier.hosts.allowed=
          #auth.verifier.RequestParameterAuthVerifier.urls.includes=N/A
      
          #
          # TunnelingServletAuthVerifier
          #
          #auth.verifier.TunnelingServletAuthVerifier.hosts.allowed=255.255.255.255
          #auth.verifier.TunnelingServletAuthVerifier.urls.includes=/api/liferay/do
      

      At the bottom, you can see that there are example properties listed for the TunnelingServletAuthVerifier class. However, we don't have a class called TunnelingServletAuthVerifier - it was renamed to TunnelAuthVerifier in LPS-58639. Moreover, that very same LPS made that particular AuthVerifier configurable via osgi/configs rather than via portal properties, so these portal properties wouldn't do anything anyway. We even have them listed as modularized properties in our VerifyProperties class! So they should be removed from portal.properties to avoid confusion.

      Steps to Reproduce
      1. Open up the portal.properties file.
      2. Search the file for a mention of "TunnelingServletAuthVerifier"

      Expected Result: There would be no mention of "TunnelingServletAuthVerifier" as that class no longer exists.
      Actual Result: There are example properties that imply the existence of a TunnelingServletAuthVerifier class.

        Attachments

          Activity

            People

            • Assignee:
              sharry.shi Sharry Shi
              Reporter:
              michael.bowerman Michael Bowerman (Inactive)
              Participants of an Issue:
              Recent user:
              Csaba Turcsan
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Days since last comment:
                1 year, 31 weeks, 6 days ago

                Packages

                Version Package
                7.0.0 DXP FP46
                7.0.6 CE GA7
                7.0.0 DXP SP8
                7.0.X
                7.1.0 M2
                7.1.X
                Master