When upgrading a Liferay Spring Portlet as part of an upgrade to DXP 7.4, developers are likely to encounter the behavior as outlined in
Liferay Portal/DXP 7.4 introduced a feature whereby the X-CSRF-TOKEN cookie is set to the same value as the p_auth request parameter. Because of this, calls to ActionRequest.getHeader("X-CSRF-TOKEN" are returning a value other than what Spring Security is expecting.
As a result, submitting a form for a PortletMVC4Spring portlet us causing Spring Security to throw an org.springframework.security.access.AccessDeniedException with message "Access denied!"
To have the contents of
MVCS-66 and a step-by-step fix officially documented within our Help Center:
In order to fix this problem, it will be necessary for the com.liferay.portletmvc4spring.security module to pretend that the X-CSRF-TOKEN cookie does not exist in the portlet ActionRequest. One consequence of this will be that PortletMVC4Spring forms be required to submit the _csrf request parameter. But since this happens automatically/transparently when the Spring <form:form> JSP tag is used, this should be a non-issue for JSP-based portlets. Developers have always been responsible for adding the _csrf hidden field for Thymeleaf portlets, so this should be a non-issue of Thymeleaf-based portlets as well.