Details
-
Type:
Bug
-
Status: Closed
-
Resolution: Fixed
-
Affects Version/s: 7.0.X, 7.1.X, Master
-
Fix Version/s: 7.1.10 DXP FP10, 7.1.10.2 SP2, 7.1.3 CE GA4, 7.1.X, Master
-
Branch Version/s:7.1.x
-
Backported to Branch:Committed
-
Story Points:0.5
-
Fix Priority:3
-
Git Pull Request:
Description
com.liferay.portal.servlet.filters.secure.NonceUtil uses a DelayQueue to save the generated nonces. This queue is individual per node, so a generated nonce can only be retrieved from the node that generates it.
Steps to Reproduce:
1.- Start a cluster with a couple of nodes
2.- Execute in one of the nodes the follwing script:
import com.liferay.portal.servlet.filters.secure.NonceUtil; String nonce = NonceUtil.generate(20099, "127.0.0.1"); out.println("Generated nonce: " + nonce);
3.- With the generated nonce, for example C480f83bcb6bA813d2cdaL8V5c592eeO execute the following script (on the remaining node) to check if the nonce can be verified from the other node:
import com.liferay.portal.servlet.filters.secure.NonceUtil; out.println("Verify: " + NonceUtil.verify("C480f83bcb6bA813d2cdaL8V5c592eeO"));
Expected Result:
The nonce should be verified from the other node, hence printing Verify: true
Actual:
The nonce can only be verified in the node where it was generated, hence printing Verify: false
Other test that must performed is the previous one, but executing step two with node2 down. The expected result would be the same.