Foren
Problem with TunnelServlet @6.2
Christian Lerch, geändert vor 10 Jahren.
Problem with TunnelServlet @6.2
New Member Beiträge: 18 Beitrittsdatum: 22.06.12 Neueste Beiträge
I want to utilize the TunnelServlet from an external Java program.
I've setup the shared secret and also set property tunnel.servlet.hosts.allowed=127.0.0.1,SERVER_IP
Credentials are setup for the portal superuser, so there should'nt be any permission problem.
When I do a remote call from my external program, e.g. to GroupServiceHttp.getGroup(...), I get an java.lang.SecurityException with detail "Access denied for 127.0.0.1"
In the debugger I can see that this happens in the TunnelServlet on line 79:
returnObj = methodHandler.invoke(true);
This used to work well in the previous version 6.1.1 but now I cant find the cause.
Anybody with a helping hint or solution?
Is there anything I need to configure security-wise?
Thanks, Chris
I've setup the shared secret and also set property tunnel.servlet.hosts.allowed=127.0.0.1,SERVER_IP
Credentials are setup for the portal superuser, so there should'nt be any permission problem.
When I do a remote call from my external program, e.g. to GroupServiceHttp.getGroup(...), I get an java.lang.SecurityException with detail "Access denied for 127.0.0.1"
In the debugger I can see that this happens in the TunnelServlet on line 79:
returnObj = methodHandler.invoke(true);
This used to work well in the previous version 6.1.1 but now I cant find the cause.
Anybody with a helping hint or solution?
Is there anything I need to configure security-wise?
Thanks, Chris
Christian Lerch, geändert vor 10 Jahren.
RE: Problem with TunnelServlet @6.2
New Member Beiträge: 18 Beitrittsdatum: 22.06.12 Neueste Beiträge
The relevant exception stack I get for this problem is:
Caused by: java.lang.SecurityException: Access denied for 127.0.0.1
at com.liferay.portal.security.ac.AccessControlAdvisorImpl.checkAllowedHosts(AccessControlAdvisorImpl.java:75)
at com.liferay.portal.security.ac.AccessControlAdvisorImpl.accept(AccessControlAdvisorImpl.java:44)
at com.liferay.portal.security.ac.AccessControlAdvice.before(AccessControlAdvice.java:46)
at com.liferay.portal.spring.aop.ChainableMethodAdvice.invoke(ChainableMethodAdvice.java:44)
at com.liferay.portal.spring.aop.ServiceBeanMethodInvocation.proceed(ServiceBeanMethodInvocation.java:111)
at com.liferay.portal.spring.aop.ServiceBeanAopProxy.invoke(ServiceBeanAopProxy.java:175)
at com.sun.proxy.$Proxy30.getGroup(Unknown Source)
at com.liferay.portal.service.GroupServiceUtil.getGroup(GroupServiceUtil.java:261)
Caused by: java.lang.SecurityException: Access denied for 127.0.0.1
at com.liferay.portal.security.ac.AccessControlAdvisorImpl.checkAllowedHosts(AccessControlAdvisorImpl.java:75)
at com.liferay.portal.security.ac.AccessControlAdvisorImpl.accept(AccessControlAdvisorImpl.java:44)
at com.liferay.portal.security.ac.AccessControlAdvice.before(AccessControlAdvice.java:46)
at com.liferay.portal.spring.aop.ChainableMethodAdvice.invoke(ChainableMethodAdvice.java:44)
at com.liferay.portal.spring.aop.ServiceBeanMethodInvocation.proceed(ServiceBeanMethodInvocation.java:111)
at com.liferay.portal.spring.aop.ServiceBeanAopProxy.invoke(ServiceBeanAopProxy.java:175)
at com.sun.proxy.$Proxy30.getGroup(Unknown Source)
at com.liferay.portal.service.GroupServiceUtil.getGroup(GroupServiceUtil.java:261)
Christian Lerch, geändert vor 10 Jahren.
RE: Problem with TunnelServlet @6.2
New Member Beiträge: 18 Beitrittsdatum: 22.06.12 Neueste Beiträge
More and more I'm beginning to think that this is a bug.
I found no other workaround than to comment out the line where the exception is thrown. Now tunneling works as expected.
Can anybody please give me advice on how and where to file an issue/bug like this with development?
I found no other workaround than to comment out the line where the exception is thrown. Now tunneling works as expected.
Can anybody please give me advice on how and where to file an issue/bug like this with development?
Anil T, geändert vor 8 Jahren.
RE: Problem with TunnelServlet @6.2
Expert Beiträge: 313 Beitrittsdatum: 14.01.12 Neueste Beiträge
Hi,
Is there any solution for this bug?
Thanks,
Anil T
Is there any solution for this bug?
Thanks,
Anil T
Christian P. Lerch, geändert vor 8 Jahren.
RE: Problem with TunnelServlet @6.2
New Member Beiträge: 18 Beitrittsdatum: 22.06.12 Neueste Beiträge
Hi,
Well I have learned that it's in fact not a bug but a somewhat undocumented security feature.
If you add this line
auth.verifier.TunnelingServletAuthVerifier.hosts.allowed=127.0.0.1,SERVER_IP
in addition to
tunnel.servlet.hosts.allowed=127.0.0.1,SERVER_IP
to your portal-ext.properties, it will not throw a security exception anymore.
Cheers,
Chris
Well I have learned that it's in fact not a bug but a somewhat undocumented security feature.
If you add this line
auth.verifier.TunnelingServletAuthVerifier.hosts.allowed=127.0.0.1,SERVER_IP
in addition to
tunnel.servlet.hosts.allowed=127.0.0.1,SERVER_IP
to your portal-ext.properties, it will not throw a security exception anymore.
Cheers,
Chris
Anil T, geändert vor 8 Jahren.
RE: Problem with TunnelServlet @6.2
Expert Beiträge: 313 Beitrittsdatum: 14.01.12 Neueste Beiträge
Thanks Lerch. It worked.