Ask Questions and Find Answers
Important:
Ask is now read-only. You can review any existing questions and answers, but not add anything new.
But - don't panic! While ask is no more, we've replaced it with discuss - the new Liferay Discussion Forum! Read more here here or just visit the site here:
discuss.liferay.com
RE: RE: PortalUtil.getUser(httpServletRequest) Does not return the logged in user
PortalUtil.getUser(httpServletRequest) Does not
return the logged in user, but the default user on Liferay
Digital Experience Platform 7.4.13 Update 92
I have a JAX-RS application that has the
implementation of retrieving the logged in user to perform some
validations, the implementation was working as expected on version
U52, but when I use the U95 version
does not work as expected, the returned user is default.
Looking at the documentation and the github I was not able to notice something that may have changed between these versions, because apparently nothing has changed in the PortalUtil class from U52 to U92.
Does anyone know if anything has changed and how can we now retrieve the logged in user in the context of a JAX-RS app?
I tried this too and it didn't work:
ServiceContext serviceContext = ServiceContextFactory.getInstance(httpServletRequest);
User user = serviceContext.getUser();
********************************************************
HttpSession httpSession = httpServletRequest.getSession();
User user = (User) httpSession.getAttribute(WebKeys.USER);
Here’s an example of what I’ve coded:
@Component(immediate = true,
property = {
JaxrsWhiteboardConstants.JAX_RS_APPLICATION_BASE +
"=greetings",
JaxrsWhiteboardConstants.JAX_RS_NAME +
"=Greetings.Rest",
"jaxrs.application=true",
"auth.verifier.guest.allowed=false",
"liferay.oauth2=false"
},
configurationPolicy = ConfigurationPolicy.OPTIONAL,
service = Application.class
)
@ApplicationPath("/greetings")
public class
TestRestApplication extends Application {
private
static final Log LOG = LogFactoryUtil.getLog(TestRestApplication.class);
public Set<Object> getSingletons() {
LOG.info("Start******");
return
Collections.<Object>singleton(this);
}
@GET
@Path("/user/logged")
@Produces("text/plain")
public String
getUserLoggedIn(@Context HttpServletRequest httpServletRequest)
throws PortalException {
User user = PortalUtil.getUser(httpServletRequest);
String screenName=user.getScreenName();
String
emailAddress=user.getEmailAddress();
LOG.info("********screenName:"+screenName+"\n"+"emailAddress:"+emailAddress);
return
"screenName:"+screenName+"\n"+"emailAddress:"+emailAddress;
}
}
Thank you.
Newer versions of Liferay need the CSRF token in the request, preferrably as a header. If it isn't present, the auth verifier "strips" the user from the request and the call is not authenticated.
So, we usually set it in our javascript applications modules as a
header, e.g.
fetch(
"/o/<my-rest-service>,
{
headers: {"x-csrf-token": window.Liferay.authToken}}
).then(..)
This is the preferred approach!
But this is sometimes not possible (or tricky) for various
reasons. So, there is a second mechanism to whitelist urls and not
require the token. BUT you must do this only for readonly requests
(GET Requests usually are, but who knows), and make sure, that there
is no security issue due to the missing CSRF token. Again: The first
approach is preferable.
You can whitelist services in
portal-ext.properties:
auth.token.ignore.origins=<my-rest-service>,
<my-rest-service2>, ...
Hi Christoph Rabel, first, thank you very much for the return.
Passing header in request works perfectly. However, in my case, the second suggestion would be more appropriate to my context.
However, testing the configuration via
portal-ext.properties did not work. What am I missing
in the configuration?
Here is the example.
#whitelist services in portal-ext.properties:
auth.token.ignore.origins=\
com.test.rest.application.TestRestApplication
I did, as described here:
https://docs.liferay.com/portal/7.4-ga92/propertiesdoc/portal.properties.html
Thank you!