Uploaded image for project: 'PUBLIC - Liferay Documentation'
  1. PUBLIC - Liferay Documentation
  2. LRDOCS-10277

Unable to submit forms due to the X-CSRF-TOKEN cookie being set by Liferay DXP 7.4

Details

    • Developer

    Description

      When upgrading a Liferay Spring Portlet as part of an upgrade to DXP 7.4, developers are likely to encounter the behavior as outlined in MVCS-66:

      Liferay Portal/DXP 7.4 introduced a feature whereby the X-CSRF-TOKEN cookie is set to the same value as the p_auth request parameter. Because of this, calls to ActionRequest.getHeader("X-CSRF-TOKEN" are returning a value other than what Spring Security is expecting.

      As a result, submitting a form for a PortletMVC4Spring portlet us causing Spring Security to throw an org.springframework.security.access.AccessDeniedException with message "Access denied!"

      Request
      To have the contents of MVCS-66 and a step-by-step fix officially documented within our Help Center:

      In order to fix this problem, it will be necessary for the com.liferay.portletmvc4spring.security module to pretend that the X-CSRF-TOKEN cookie does not exist in the portlet ActionRequest. One consequence of this will be that PortletMVC4Spring forms be required to submit the _csrf request parameter. But since this happens automatically/transparently when the Spring <form:form> JSP tag is used, this should be a non-issue for JSP-based portlets. Developers have always been responsible for adding the _csrf hidden field for Thymeleaf portlets, so this should be a non-issue of Thymeleaf-based portlets as well.

      Attachments

        Activity

          People

            jr.houn JR Houn
            philip.chapman Philip Chapman
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Packages

                Version Package
                7.4.x