Ask Questions and Find Answers
Important:
Ask is now read-only. You can review any existing questions and answers, but not add anything new.
But - don't panic! While ask is no more, we've replaced it with discuss - the new Liferay Discussion Forum! Read more here here or just visit the site here:
discuss.liferay.com
RE: logs: User 0 is not allowed to access URL and portlet
I keep getting this message on the log. A lot. What does it mean exactly? I was under the impression that guest users had a concrete ID depending on the instance, rather than simply having ID 0.
Everything appears to work normally when I browse the page, and just that one portlet logs the warning despite having other portlets with (I'm pretty sure) the same configuration.
I'm running liferay 7ga4, on tomcat if that helps.
05:36:36,018 WARN [http-nio-8080-exec-56][SecurityPortletContainerWrapper:348] User 0 is not allowed to access URL https://mydomain.com/home and portlet myPortlet
Everything appears to work normally when I browse the page, and just that one portlet logs the warning despite having other portlets with (I'm pretty sure) the same configuration.
I'm running liferay 7ga4, on tomcat if that helps.
It points to a configuration issue of some kind.
I had this recently in an environment where I had enabled secure cookies but, on the test server, was not configured for SSL.
Come meet me at Devcon 2017 or 2017 LSNA!
I had this recently in an environment where I had enabled secure cookies but, on the test server, was not configured for SSL.
Come meet me at Devcon 2017 or 2017 LSNA!
We did have some issues with SSL a few weeks back, and that configuration was modified. I suppose I can double check that. Thanks for the suggestion.
Still, is there any way to dig deeper on this warning? or other, even? I've been looking into the logs and some stuff confuses me. I also got some XML-RPC pingback messages that appear to be related to simple links on the blog, I don't recall having seen these before either. They are logged without a stacktrace so they aren't easy to pinpoint and figure out what's up with them.
Still, is there any way to dig deeper on this warning? or other, even? I've been looking into the logs and some stuff confuses me. I also got some XML-RPC pingback messages that appear to be related to simple links on the blog, I don't recall having seen these before either. They are logged without a stacktrace so they aren't easy to pinpoint and figure out what's up with them.
[SecurityPortletContainerWrapper:348] User 0 is not allowed to access URL
I have gotten this issue and have rebuilt my LIferay in as basic a configuration mode as possible. And after installing several modules and working for a while: Boom! I am locked out of the admin interface, period!! The only solution is to either rebuild the Liferay database or completely rebuild the Liferay development instance. This began in Liferay 7 GA4.
Some sort of configuration issue is not helpful. I would suggest this is a regression of something that happened in one of the early releases:
https://issues.liferay.com/browse/LPS-63703
I happens in all browsers.
I have gotten this issue and have rebuilt my LIferay in as basic a configuration mode as possible. And after installing several modules and working for a while: Boom! I am locked out of the admin interface, period!! The only solution is to either rebuild the Liferay database or completely rebuild the Liferay development instance. This began in Liferay 7 GA4.
Some sort of configuration issue is not helpful. I would suggest this is a regression of something that happened in one of the early releases:
https://issues.liferay.com/browse/LPS-63703
I happens in all browsers.
Same problem in my Liferay 7 GA5 installation.
I have this problem when using Firefox, but is ok with Chrome!
I have this problem when using Firefox, but is ok with Chrome!
I have also faced same issue in login portlet.
My liferay version is : liferay-ce-portal-7.0-ga4
After some debugging I am able to conclude that this issue was coming when Guest User session expires.
Let's say if I have session timeout of 30 minutes so after logging in loggedInUser is logged out after 30 minutes and after that in my app user is being redirected back to login page.
Now user is logged out so current user is Guest user and if i don't do any activity for next 30 minutes and directly hits login button I am getting this error(User 0 is not allowed to access URL and portlet).
So think this could be because loggedOut user is assigned a guest session and after 30 minutes guest session is also expired so on login it gives that error.
To solve this I have applied one hack on login page which hit server with one fake ajax request before session timeout so that guest session do not expire and it worked!!
I am able to solve my problem but,
During this I also found that liferay was also doing something like this.
Liferay was hitting request on every 30 minutes(i.e. session timeout) like this :
http://null:null@localhost:8080/c/portal/extend_session
I think liferay is also extending session like this but may be this is not working properly(assuming - this call is for extending session ).
If anyone wants to apply some hack like this they can get some path to work on and If liferay is doing the same then I would like to know why it is not extending session.
Someone can guide me if I am on wrong path.
My liferay version is : liferay-ce-portal-7.0-ga4
After some debugging I am able to conclude that this issue was coming when Guest User session expires.
Let's say if I have session timeout of 30 minutes so after logging in loggedInUser is logged out after 30 minutes and after that in my app user is being redirected back to login page.
Now user is logged out so current user is Guest user and if i don't do any activity for next 30 minutes and directly hits login button I am getting this error(User 0 is not allowed to access URL and portlet).
So think this could be because loggedOut user is assigned a guest session and after 30 minutes guest session is also expired so on login it gives that error.
To solve this I have applied one hack on login page which hit server with one fake ajax request before session timeout so that guest session do not expire and it worked!!
I am able to solve my problem but,
During this I also found that liferay was also doing something like this.
Liferay was hitting request on every 30 minutes(i.e. session timeout) like this :
http://null:null@localhost:8080/c/portal/extend_session
I think liferay is also extending session like this but may be this is not working properly(assuming - this call is for extending session ).
If anyone wants to apply some hack like this they can get some path to work on and If liferay is doing the same then I would like to know why it is not extending session.
Someone can guide me if I am on wrong path.
pratik parekh:
I think liferay is also extending session like this but may be this is not working properly(assuming - this call is for extending session ).
Correct. When Liferay added the fix for LPS-68543, we left the default value for the session.timeout.auto.extend.offset property at zero. This means that in an out-of-box configuration, session auto-extend doesn't work because it's doing it too late. You should be able to fix it by giving this a positive value, like 300.
Thanks Minhchau Dang,
As per my understanding this property is used to extend session without asking user
session.timeout.auto.extend=true
And this property is used to set the time to extend session and after specified time session will be extended
session.timeout.auto.extend.offset=0
Now this process is used irrespective of user is logged in or not.
Am I correct?
If yes then how would I extend the session only for Guest user(Until he closes the tab) and loggedIn user's session should be expired on timeout.
Is there any mechanism/configuration through which I can achieve the same?
I want to do this just to avoid this error : "User 0 is not allowed to access URL and portlet".
Thanks
As per my understanding this property is used to extend session without asking user
session.timeout.auto.extend=true
And this property is used to set the time to extend session and after specified time session will be extended
session.timeout.auto.extend.offset=0
Now this process is used irrespective of user is logged in or not.
Am I correct?
If yes then how would I extend the session only for Guest user(Until he closes the tab) and loggedIn user's session should be expired on timeout.
Is there any mechanism/configuration through which I can achieve the same?
I want to do this just to avoid this error : "User 0 is not allowed to access URL and portlet".
Thanks
Also, I have found that you will see this error if you are using HTTPS to proxy to Liferay and the following properties are not set. David mentioned SSL above and that led me to finding that problem in our stack.
web.server.protocol=https
web.server.https.port=443
web.server.host=<proxy hostname></proxy>
Hi Adam
We are also getting this issue in our environment. As per initial investigation we found out that this is happening because of guest user session. To reproduce this issue i have logged in with one user in my localhost and then logout.After 30 minutes when i tried to login, I got this error. This error got resolved after page refresh.
But in our cluster environment this problem is not fixed, after 30 minutes user is not able to login again. We have setting like
web.server.protocol=https
web.server.https.port=443
web.server.host=<proxy hostname>
Can you please help how to fix this problem in cluster environment.
pratik parekh:
Now this process is used irrespective of user is logged in or not.
Am I correct?
No, that's not quite correct. After LPS-45084, the property session.timeout.auto.extend only applies to authenticated users.
In LPS-45084, we learned that there was a general problem with how Liferay dealt with guest user sessions and authentication tokens (invalid authentication tokens is essentially what raises the error, and by default, authentication tokens are tied to the user session). Because guest users also need an authentication token for things like login forms and web forms, if their session expires, anything they submit will be lost.
Initially we fixed it by giving guest users the option to manually extend their session, but our developers in Europe found that this was very confusing (see LPS-47190), because no other site does this. As a result, the final fix was to always auto-extend the session for guest users.
So if we're auto-extending the session for guest users, why does it not work?
It's because session.timeout.auto.extend.offset is equivalent to, "In the cases where you need to auto-extend the session, do so X seconds before you believe the session is set to expire." Because it's 0, it waits until the last possible second, and then attempts to extend the session. 99 times out of 100, this is probably way too late, and so session auto-extend fails.
For session auto-extend, it used to be the case that people would simply set session.timeout to something lower than the actual session length, but now we have that other property so that the session.timeout property can reflect the actual value in web.xml and we have another property to control just how much you want to live on the edge.
Minhchau Dangpratik parekhI think liferay is also extending session like this but may be this is not working properly(assuming - this call is for extending session ).
Correct. When Liferay added the fix for LPS-68543, we left the default value for the session.timeout.auto.extend.offset property at zero. This means that in an out-of-box configuration, session auto-extend doesn't work because it's doing it too late. You should be able to fix it by giving this a positive value, like 300.
If we set the session.timeout.auto.extend.offset=300 with auto-extend=false, with an aim in mind to allow guest users to submit forms without getting this exception, then what happens in that 300's i.e. after session time out and offset time. Does guest user form submission fails?
what happens If a user submits the form before the offset time & after the session time out
Vishnu S Kumar
If we set the session.timeout.auto.extend.offset=300 with auto-extend=false, with an aim in mind to allow guest users to submit forms without getting this exception, then what happens in that 300's i.e. after session time out and offset time. Does guest user form submission fails?
As far as I know, Liferay ignores the value of the session.timeout.auto.extend portal property for guest users (it is assumed to always be true for guest users), so as long as you have session.timeout.auto.extend.offset set, and the user is actively using the tab, the guest user form submission should still succeed.
Note that some web browsers also have a feature to disable Javascript from running in background tabs. In those cases, if the guest user has switched to a different active tab, and they return to the Liferay tab too late, then the session will time out and the guest user form submission is expected to fail.
Minhchau DangThank You...Very Useful InfoVishnu S Kumar
If we set the session.timeout.auto.extend.offset=300 with auto-extend=false, with an aim in mind to allow guest users to submit forms without getting this exception, then what happens in that 300's i.e. after session time out and offset time. Does guest user form submission fails?
As far as I know, Liferay ignores the value of the session.timeout.auto.extend portal property for guest users (it is assumed to always be true for guest users), so as long as you have session.timeout.auto.extend.offset set, and the user is actively using the tab, the guest user form submission should still succeed.
Note that some web browsers also have a feature to disable Javascript from running in background tabs. In those cases, if the guest user has switched to a different active tab, and they return to the Liferay tab too late, then the session will time out and the guest user form submission is expected to fail.
Further to this thread, I have a strange requirement/issue.
User is on login page (as guest), internet goes off or user left it browser open and left computer in hibernate mode.
Now from login page, again it is not able to communicate with server, hence the expired session times out. Now user connects his laptop to internet and see login page which was opened earlier. He enters credentials there and submits but page is refreshed with error in server (with same exception user 0... ) and he need to login again as his guest session is time out.
I get this occasionally running Liferay in my local environment. If I
open a new incognito window, it works fine. I can clear all local
storage for http://localhost:8080 in the Chrome browser tools, and I can
log in again.
Copyright © 2025 Liferay, Inc
• Privacy Policy
Powered by Liferay™