Reject Process Action

Fórum

Mohd Danish, modificado 9 Anos atrás.

Reject Process Action

Regular Member Postagens: 187 Data de Entrada: 05/03/12 Postagens Recentes

I am having a portlet whose action method is called from a link send to through a mail. But the problem is when the user clicks upon the link, process action is rejected by liferay(LR 6.2 ce ga 2).

I have tried putting <add-default-resource>true</add-default-resource>

and also setting the portlet.add.default.resource.check.enabled=false
portlet.add.default.resource.check.whitelist= XXXXX_WAR_XXXXX

properties in portal-ext.properties.

Is their anything that I am missing or something else I can do?

Jitendra Rajput, modificado 9 Anos atrás.

RE: Reject Process Action

Liferay Master Postagens: 875 Data de Entrada: 07/01/11 Postagens Recentes

Make sure you specify instance name also along with portletid if your portlet is instance able. It will not work until instance id is provided for portlet with multiple instances.

portlet.add.default.resource.check.whitelist=3,56_INSTANCE_0000,58,82,86,87,88,103,113,145,164,166,170,177,101_INSTANCE_6yDjm6kcSUF4

Copy existing property from portal-ext and add your portlet at the end.

Mohd Danish, modificado 9 Anos atrás.

RE: Reject Process Action

Regular Member Postagens: 187 Data de Entrada: 05/03/12 Postagens Recentes

It is not instantiable. I tried to put up the the name of the portlet in the whitelist, but still it is showing the same.

Andew Jardine, modificado 9 Anos atrás.

RE: Reject Process Action (Resposta)

Liferay Legend Postagens: 2416 Data de Entrada: 22/12/10 Postagens Recentes

Does the link in the URL contain the p_auth parameter? If it does then you are likely being caught by the auth token check. Check out this property in the portal.properties file --


##
## Authentication Token
##

    #
    # Set this to true to enable authentication token security checks. The
    # checks can be disabled for specific actions via the property
    # "auth.token.ignore.actions" or for specific portlets via the init
    # parameter "check-auth-token" in portlet.xml.
    #
    auth.token.check.enabled=true

You could disable it altogther, but that does raise some possible XSS security issues I think. Best bet, if this is the cause of your problem, is to try to disable it just for this portlet.

Or possibly even remove it from the url that is emailed and see if that works.

Mohd Danish, modificado 9 Anos atrás.

RE: Reject Process Action

Regular Member Postagens: 187 Data de Entrada: 05/03/12 Postagens Recentes

Thanks a lot that worked..

Tomas Polesovsky, modificado 9 Anos atrás.

RE: Reject Process Action

Liferay Master Postagens: 676 Data de Entrada: 13/02/09 Postagens Recentes

Please don't disable whole CSRF check, you open a significant security hole, keep:

auth.token.check.enabled=true

Rather, extract the email functionality into separate portlet and white-list the portlet using:

auth.token.ignore.portlets=xxx_WAR_xxx