Foren

  1. Startseite
  2. Development
  3. Problem with TunnelServlet @6.2

Problem with TunnelServlet @6.2

thumbnail
Christian Lerch, geändert vor 10 Jahren.

Problem with TunnelServlet @6.2

New Member Beiträge: 18 Beitrittsdatum: 22.06.12 Neueste Beiträge
I want to utilize the TunnelServlet from an external Java program.
I've setup the shared secret and also set property tunnel.servlet.hosts.allowed=127.0.0.1,SERVER_IP
Credentials are setup for the portal superuser, so there should'nt be any permission problem.

When I do a remote call from my external program, e.g. to GroupServiceHttp.getGroup(...), I get an java.lang.SecurityException with detail "Access denied for 127.0.0.1"

In the debugger I can see that this happens in the TunnelServlet on line 79:

returnObj = methodHandler.invoke(true);

This used to work well in the previous version 6.1.1 but now I cant find the cause.

Anybody with a helping hint or solution?
Is there anything I need to configure security-wise?

Thanks, Chris
thumbnail
Christian Lerch, geändert vor 10 Jahren.

RE: Problem with TunnelServlet @6.2

New Member Beiträge: 18 Beitrittsdatum: 22.06.12 Neueste Beiträge
The relevant exception stack I get for this problem is:

Caused by: java.lang.SecurityException: Access denied for 127.0.0.1
at com.liferay.portal.security.ac.AccessControlAdvisorImpl.checkAllowedHosts(AccessControlAdvisorImpl.java:75)
at com.liferay.portal.security.ac.AccessControlAdvisorImpl.accept(AccessControlAdvisorImpl.java:44)
at com.liferay.portal.security.ac.AccessControlAdvice.before(AccessControlAdvice.java:46)
at com.liferay.portal.spring.aop.ChainableMethodAdvice.invoke(ChainableMethodAdvice.java:44)
at com.liferay.portal.spring.aop.ServiceBeanMethodInvocation.proceed(ServiceBeanMethodInvocation.java:111)
at com.liferay.portal.spring.aop.ServiceBeanAopProxy.invoke(ServiceBeanAopProxy.java:175)
at com.sun.proxy.$Proxy30.getGroup(Unknown Source)
at com.liferay.portal.service.GroupServiceUtil.getGroup(GroupServiceUtil.java:261)
thumbnail
Christian Lerch, geändert vor 10 Jahren.

RE: Problem with TunnelServlet @6.2

New Member Beiträge: 18 Beitrittsdatum: 22.06.12 Neueste Beiträge
More and more I'm beginning to think that this is a bug.
I found no other workaround than to comment out the line where the exception is thrown. Now tunneling works as expected.

Can anybody please give me advice on how and where to file an issue/bug like this with development?
thumbnail
Anil T, geändert vor 8 Jahren.

RE: Problem with TunnelServlet @6.2

Expert Beiträge: 313 Beitrittsdatum: 14.01.12 Neueste Beiträge
Hi,

Is there any solution for this bug?

Thanks,
Anil T
thumbnail
Christian P. Lerch, geändert vor 8 Jahren.

RE: Problem with TunnelServlet @6.2

New Member Beiträge: 18 Beitrittsdatum: 22.06.12 Neueste Beiträge
Hi,

Well I have learned that it's in fact not a bug but a somewhat undocumented security feature.

If you add this line

auth.verifier.TunnelingServletAuthVerifier.hosts.allowed=127.0.0.1,SERVER_IP

in addition to

tunnel.servlet.hosts.allowed=127.0.0.1,SERVER_IP

to your portal-ext.properties, it will not throw a security exception anymore.

Cheers,
Chris
thumbnail
Anil T, geändert vor 8 Jahren.

RE: Problem with TunnelServlet @6.2

Expert Beiträge: 313 Beitrittsdatum: 14.01.12 Neueste Beiträge
Thanks Lerch. It worked.