Required security configuration deleted on upgrade from 7.3 to 7.4Required security configuration deleted on upgrade from 7.3 to 7.4https://liferay.dev/de/c/message_boards/find_thread?p_l_id=119785294&threadId=1232179802026-04-17T23:03:25Z2026-04-17T23:03:25ZRE: RE: Required security configuration deleted on upgrade from 7.3 to 7.4Chris Rimeshttps://liferay.dev/de/c/message_boards/find_message?p_l_id=119785294&messageId=1232458822025-02-14T16:11:16Z2025-02-14T10:43:55Z<p>For the reproduced steps outlined in the original post, I was just
using an unmodified Liferay bundle, so:</p>
<pre>
com.liferay.commerce.product.configuration.CPDefinitionLinkTypeConfiguration-accessories.config
com.liferay.commerce.product.configuration.CPDefinitionLinkTypeConfiguration-crosssell.config
com.liferay.commerce.product.configuration.CPDefinitionLinkTypeConfiguration-related.config
com.liferay.commerce.product.configuration.CPDefinitionLinkTypeConfiguration-spare.config
com.liferay.commerce.product.configuration.CPDefinitionLinkTypeConfiguration-upsell.config
com.liferay.document.library.document.conversion.internal.security.auth.verifier.image.request.module.configuration.ImageRequestAuthVerifierConfiguration-default.config
com.liferay.headless.commerce.delivery.cart.internal.jaxrs.application.HeadlessCommerceDeliveryCartApplication-default.config
com.liferay.oauth2.provider.scope.internal.configuration.BundlePrefixHandlerFactoryConfiguration-default.config
com.liferay.oauth2.provider.scope.internal.configuration.ConfigurableScopeMapperConfiguration-default.config
com.liferay.organizations.internal.configuration.OrganizationTypeConfiguration-default.config
com.liferay.portal.security.antisamy.configuration.AntiSamyClassNameConfiguration-default.config
com.liferay.portal.security.auth.verifier.internal.basic.auth.header.configuration.BasicAuthHeaderAuthVerifierConfiguration-default.config
com.liferay.portal.security.auth.verifier.internal.portal.session.configuration.PortalSessionAuthVerifierConfiguration-default.config
com.liferay.portal.security.auth.verifier.internal.tunnel.configuration.TunnelAuthVerifierConfiguration-default.config
com.liferay.portal.vulcan.internal.configuration.VulcanConfiguration-bulk.config
org.apache.aries.jax.rs.jackson.config org.apache.aries.jax.rs.whiteboard.default.config
</pre>
<p>In our actual deployments there are a few extra ones:</p>
<pre>
com.liferay.commerce.product.configuration.CPDefinitionLinkTypeConfiguration-accessories.config
com.liferay.commerce.product.configuration.CPDefinitionLinkTypeConfiguration-crosssell.config
com.liferay.commerce.product.configuration.CPDefinitionLinkTypeConfiguration-related.config
com.liferay.commerce.product.configuration.CPDefinitionLinkTypeConfiguration-spare.config
com.liferay.commerce.product.configuration.CPDefinitionLinkTypeConfiguration-upsell.config
com.liferay.document.library.document.conversion.internal.security.auth.verifier.image.request.module.configuration.ImageRequestAuthVerifierConfiguration-default.config
com.liferay.headless.commerce.delivery.cart.internal.jaxrs.application.HeadlessCommerceDeliveryCartApplication-default.config
com.liferay.oauth2.provider.scope.internal.configuration.BundlePrefixHandlerFactoryConfiguration-default.config
com.liferay.oauth2.provider.scope.internal.configuration.ConfigurableScopeMapperConfiguration-default.config
com.liferay.organizations.internal.configuration.OrganizationTypeConfiguration-default.config
com.liferay.portal.search.elasticsearch7.configuration.ElasticsearchConfiguration.config
com.liferay.portal.security.antisamy.configuration.AntiSamyClassNameConfiguration-default.config
com.liferay.portal.security.auth.verifier.internal.basic.auth.header.configuration.BasicAuthHeaderAuthVerifierConfiguration-default.config
com.liferay.portal.security.auth.verifier.internal.portal.session.configuration.PortalSessionAuthVerifierConfiguration-default.config
com.liferay.portal.security.auth.verifier.internal.tunnel.configuration.TunnelAuthVerifierConfiguration-default.config
com.liferay.portal.security.sso.openid.connect.configuration.OpenIdConnectConfiguration.config
com.liferay.portal.security.sso.openid.connect.internal.configuration.OpenIdConnectProviderConfiguration-TNDP.config
com.liferay.portal.store.s3.configuration.S3StoreConfiguration.config
com.liferay.portal.vulcan.internal.configuration.VulcanConfiguration-bulk.config
org.apache.aries.jax.rs.jackson.config
org.apache.aries.jax.rs.whiteboard.default.config
</pre>Chris Rimes2025-02-14T10:43:55ZRE: Required security configuration deleted on upgrade from 7.3 to 7.4Alberto Chaparrohttps://liferay.dev/de/c/message_boards/find_message?p_l_id=119785294&messageId=1232388822025-02-11T13:10:36Z2025-02-11T13:10:35Z<p>Hi Chris,<br>
<br> Can you provide the list of file names you have in the folder
<em>{LIFERAY_HOME}/osgi/configs</em> before the upgrade?<br>
<br> Thanks.</p>Alberto Chaparro2025-02-11T13:10:35ZRE: Required security configuration deleted on upgrade from 7.3 to 7.4Jamie Sammonshttps://liferay.dev/de/c/message_boards/find_message?p_l_id=119785294&messageId=1232184332025-01-31T15:36:55Z2025-01-31T15:36:55Z<p>Bug Report Created: https://liferay.atlassian.net/browse/LPD-47859</p>Jamie Sammons2025-01-31T15:36:55ZRequired security configuration deleted on upgrade from 7.3 to 7.4Chris Rimeshttps://liferay.dev/de/c/message_boards/find_message?p_l_id=119785294&messageId=1232179792025-01-31T15:29:56Z2025-01-31T13:11:54Z<p>This is essentially a re-report of <a
href="https://liferay.atlassian.net/browse/LPS-159746">[LPS-159746]
403 forbidden errors in JS console when trying to use categories and
tags - Jira</a>. Despite that bug being closed as "No Longer
Reproducible", I was able to trivially trigger the same
underlying issue using the command line tools to upgrade a completely
unmodified Liferay 7.3.6 GA7 workspace to the latest version (7.4.3 GA129).</p>
<p>
<strong>Summary</strong>
</p>
<p>When upgrading the database from 7.3 to the latest 7.4, a whole lot
of configuration is lost, including security settings required by
certain widgets to access the JSON web services. One user-visible
consequence of this is that, after upgrading, it is impossible to
remove events from calendars using the calendar widget, because it
fails with a 403 Forbidden response from the
/calendar.calendarbooking/move-calendar-booking-to-trash command.</p>
<p>The workaround from the original issue still works, but it's not
really acceptable to have to manually enter pre-existing default
configuration settings through the UI after upgrading.</p>
<p>
<strong>Reproduction steps</strong>
</p>
<p>For this, you'll need an external database (I used docker to run a
PostgreSQL instance: docker run -d -p 5432:5432 -e
POSTGRESQL_PASSWORD=password
docker.io/bitnami/postgresql:14.2.0-debian-10-r14) and a Java 11 JDK
(although the latest version of Liferay supports Java 17 and 21, the
Blade CLI still passes arguments that were removed in Java 8 and are
considered invalid in recent versions of Java).</p>
<ol>
<li>Use the Blade CLI to create a Liferay 7.3 workspace: blade init -v
portal-7.3-ga7 && blade server init.</li>
<li>Edit bundles/portal-ext.properties to point at the external database.</li>
<li>Run the server to create and populate the database schema: blade
server run</li>
<li>Use the database upgrade tool (<a
href="https://learn.liferay.com/w//dxp/installation-and-upgrades/upgrading-liferay/upgrade-basics/using-the-database-upgrade-tool">Using
the Database Upgrade Tool - Liferay Learn</a>) to upgrade the
database schema to 7.4.3 GA 129.</li>
<li>Use the Blade CLI to create a Liferay 7.4 workspace: blade init -v
portal-7.4-ga129 && blade server init.</li>
<li>Edit bundles/portal-ext.properties to point at the external database.</li>
<li>Run the server: blade server run.</li>
<li>Logging in to Liferay on localhost:8080 as test@liferay.com: <ol>
<li>Add the calendar widget to the home page.</li>
<li>Add an event to the user calendar.</li>
<li>Try to delete the event - it fails with a 403 Forbidden response.</li>
<li>In the Control Panel, go to <strong>System Settings > API
Authentication > Portal Sessions</strong> and note that
there's nothing there.</li>
</ol>
</li>
<li>Compare this to a fresh install of Liferay 7.4: <ol>
<li>Stop the server using ctrl-c, clear the database (if you're
using docker, just stop the container and start a new one) and
restart the server.</li>
<li>Redo step 8 and note that the <strong>Portal
Sessions</strong> settings now have a <strong>URLs
Includes</strong> entry with value /api/json*,/api/jsonws*,/c/portal/json_service*.</li>
</ol>
</li>
</ol>
<p>To me, this seems to be an obvious bug in the upgrade process. An
upgraded Liferay installation shouldn't be lacking required
configuration that a fresh installation has. This issue is currently
blocking us upgrading our clients to the latest version of Liferay.</p>
<p>For completeness, below are the contents of the configuration_ table
at various stages of the process.</p>
<p>
<strong>In Liferay 7.3.6 GA7:</strong>
</p>
<pre>
postgres=# select configurationid from configuration_;
configurationid
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
com.liferay.oauth2.provider.scope.internal.configuration.BundlePrefixHandlerFactoryConfiguration.34bb94a7-06cf-4d22-9d34-ec6ae5a515aa
com.liferay.commerce.product.configuration.CPDefinitionLinkTypeConfiguration.63452976-e696-4d40-9191-ca61a634d7ad
org.apache.aries.jax.rs.jackson
com.liferay.document.library.document.conversion.internal.security.auth.verifier.image.request.module.configuration.ImageRequestAuthVerifierConfiguration.cf0ee241-314e-4ae9-8c7f-0581f4dfb4ec
com.liferay.oauth2.provider.scope.internal.configuration.ConfigurableScopeMapperConfiguration.c938ffbd-93ee-4211-b6d6-372376ab93af
com.liferay.portal.security.auth.verifier.internal.portal.session.configuration.PortalSessionAuthVerifierConfiguration.ce83585e-c9f2-462e-af1d-c2bc1302950d
com.liferay.portal.security.auth.verifier.internal.basic.auth.header.configuration.BasicAuthHeaderAuthVerifierConfiguration.06f16fe0-e535-4a77-9fe3-7a8047c8acf4
com.liferay.commerce.product.configuration.CPDefinitionLinkTypeConfiguration.9c9cd697-633b-472b-a639-480557e90180
com.liferay.portal.security.auth.verifier.internal.tunnel.configuration.TunnelAuthVerifierConfiguration.7fcb6973-d9c7-482e-9ca4-b133ab825da4
com.liferay.headless.commerce.delivery.cart.internal.jaxrs.application.HeadlessCommerceDeliveryCartApplication.e1a66db6-e501-4a9f-8c15-f929d9fc33ea
org.apache.aries.jax.rs.whiteboard.default
com.liferay.portal.security.antisamy.configuration.AntiSamyClassNameConfiguration.99337f19-9dc4-414a-a122-b61670c3ded9
com.liferay.commerce.product.configuration.CPDefinitionLinkTypeConfiguration.a2dcb630-a9a7-49a8-945e-51cb84cdfd9b
com.liferay.commerce.product.configuration.CPDefinitionLinkTypeConfiguration.e661476c-dd66-45a3-9c9b-ab31a1039ce6
com.liferay.portal.vulcan.internal.configuration.VulcanConfiguration.9e0b57f1-c287-4eee-8758-8e3b754d8d04
com.liferay.commerce.product.configuration.CPDefinitionLinkTypeConfiguration.6b89bb50-d27d-4749-8d64-67a19c1b13ed
com.liferay.organizations.internal.configuration.OrganizationTypeConfiguration.bb5a4bf4-5fb1-4eac-9ffe-5997997ad67d
(17 rows)
</pre>
<p> </p>
<p>
<strong>After upgrading the database to Liferay 7.4.3 GA 129:</strong>
</p>
<pre>
postgres=# select configurationid from configuration_;
configurationid
------------------------------------------------------------------------------------------------
com.liferay.captcha.configuration.CaptchaConfiguration
com.liferay.oauth2.provider.rest.internal.configuration.OAuth2AuthorizationServerConfiguration
com.liferay.layout.seo.web.internal.configuration.LayoutSEODynamicRenderingConfiguration
com.liferay.journal.web.internal.configuration.JournalWebConfiguration
com.liferay.batch.engine.configuration.BatchEngineTaskConfiguration
(5 rows)
</pre>
<p>Most of the configuration has been deleted (which may or may not be
intentional). As an aside, I notice that the report generated by the
upgrade tool is a lie, claiming that there were initially only 2 rows,
when in fact there were 17.</p>
<p>
<strong>After running Liferay 7.4.3 GA 129 against the upgraded database:</strong>
</p>
<pre>
postgres=# select configurationid from configuration_;
configurationid
-----------------------------------------------------------------------------------------------------------------------------
com.liferay.captcha.configuration.CaptchaConfiguration
com.liferay.oauth2.provider.rest.internal.configuration.OAuth2AuthorizationServerConfiguration
com.liferay.layout.seo.web.internal.configuration.LayoutSEODynamicRenderingConfiguration
com.liferay.journal.web.internal.configuration.JournalWebConfiguration
com.liferay.batch.engine.configuration.BatchEngineTaskConfiguration
com.liferay.commerce.payment.configuration.CommercePaymentEntryRefundTypeConfiguration~0a28ef1a-2ec3-4564-8a1a-bd9a71cb7446
com.liferay.commerce.payment.configuration.CommercePaymentEntryRefundTypeConfiguration~a622c2b8-7b59-4be9-a618-fbfd3d72ea1c
com.liferay.commerce.payment.configuration.CommercePaymentEntryRefundTypeConfiguration~b7bc2dd8-b7a2-4ad6-8dc6-584fad12e4fa
com.liferay.portal.vulcan.internal.configuration.VulcanCompanyConfiguration~4cef77cb-e060-4756-9c1e-13bcda3c3d8a
com.liferay.portal.vulcan.internal.configuration.VulcanCompanyConfiguration~ca03b7de-abc6-4c21-995d-2774a6d19960
com.liferay.portal.vulcan.internal.configuration.VulcanCompanyConfiguration~8d32944d-cb01-4b2a-92ca-43cf8709a7ea
com.liferay.portal.vulcan.internal.configuration.VulcanCompanyConfiguration~814b1717-c2eb-4946-a67d-2e0055bbb83e
(12 rows)
</pre>
<p>There are a few new entries, but not as many as before the upgrade
and the relevent setting for this issue
(com.liferay.portal.security.auth.verifier.internal.portal.session.configuration.PortalSessionAuthVerifierConfiguration)
is still missing.</p>
<p>
<strong>Compare a fresh Liferay 7.4.3 GA 129 install:</strong>
</p>
<pre>
postgres=# select configurationid from configuration_;
configurationid
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
com.liferay.portal.remote.cors.configuration.PortalCORSConfiguration~default
org.apache.aries.jax.rs.jackson
com.liferay.adaptive.media.image.internal.configuration.AMImageMagickConfiguration
com.liferay.organizations.internal.configuration.OrganizationTypeConfiguration~default
com.liferay.headless.commerce.delivery.cart.internal.jaxrs.application.HeadlessCommerceDeliveryCartApplication~default
com.liferay.document.library.document.conversion.internal.security.auth.verifier.image.request.module.configuration.ImageRequestAuthVerifierConfiguration~default
com.liferay.oauth2.provider.rest.internal.configuration.OAuth2AuthorizationServerConfiguration
org.apache.aries.jax.rs.whiteboard.default
com.liferay.portal.security.antisamy.configuration.AntiSamyClassNameConfiguration~blogs
com.liferay.portal.security.antisamy.configuration.AntiSamyClassNameConfiguration~knowledgebase
com.liferay.commerce.product.configuration.CPDefinitionLinkTypeConfiguration~accessories
com.liferay.commerce.product.configuration.CPDefinitionLinkTypeConfiguration~cross-sell
com.liferay.commerce.product.configuration.CPDefinitionLinkTypeConfiguration~related
com.liferay.commerce.product.configuration.CPDefinitionLinkTypeConfiguration~spare
com.liferay.commerce.product.configuration.CPDefinitionLinkTypeConfiguration~up-sell
com.liferay.oauth2.provider.scope.internal.configuration.BundlePrefixHandlerFactoryConfiguration~default
com.liferay.oauth2.provider.scope.internal.configuration.ConfigurableScopeMapperConfiguration~default
com.liferay.portal.vulcan.internal.configuration.VulcanConfiguration~bulk
com.liferay.portal.security.auth.verifier.internal.basic.auth.header.configuration.BasicAuthHeaderAuthVerifierConfiguration~default
com.liferay.portal.security.auth.verifier.internal.portal.session.configuration.PortalSessionAuthVerifierConfiguration~default
com.liferay.portal.security.auth.verifier.internal.tunnel.configuration.TunnelAuthVerifierConfiguration~default
com.liferay.commerce.payment.configuration.CommercePaymentEntryRefundTypeConfiguration~f94ba4cb-5c56-4f2b-b562-a9df50af0452
com.liferay.commerce.payment.configuration.CommercePaymentEntryRefundTypeConfiguration~857ecdd6-d17c-4cc9-835b-aefa3526c28d
com.liferay.commerce.payment.configuration.CommercePaymentEntryRefundTypeConfiguration~a3305cfc-ac57-4dce-b7e2-363a8b904a57
com.liferay.portal.vulcan.internal.configuration.VulcanCompanyConfiguration~ba73bc95-4098-4a74-adf8-020cbc617383
com.liferay.portal.vulcan.internal.configuration.VulcanCompanyConfiguration~c605fc0d-afd1-473b-8cc0-9c79a6a0ce36
com.liferay.portal.vulcan.internal.configuration.VulcanCompanyConfiguration~555332f3-b725-4e64-9d16-b58e637f6bff
com.liferay.portal.vulcan.internal.configuration.VulcanCompanyConfiguration~be85747e-23db-4df2-aa7a-ba079a333a72
(28 rows)
</pre>Chris Rimes2025-01-31T13:11:54Z