Ask - Test

This is essentially a re-report of [LPS-159746] 403 forbidden errors in JS console when trying to use categories and tags - Jira.  Despite that bug being closed as "No Longer Reproducible", I was able to trivially trigger the same underlying issue using the command line tools to upgrade a completely unmodified Liferay 7.3.6 GA7 workspace to the latest version (7.4.3 GA129).

Summary

When upgrading the database from 7.3 to the latest 7.4, a whole lot of configuration is lost, including security settings required by certain widgets to access the JSON web services.  One user-visible consequence of this is that, after upgrading, it is impossible to remove events from calendars using the calendar widget, because it fails with a 403 Forbidden response from the /calendar.calendarbooking/move-calendar-booking-to-trash command.

The workaround from the original issue still works, but it's not really acceptable to have to  manually enter pre-existing default configuration settings through the UI after upgrading.

Reproduction steps

For this, you'll need an external database (I used docker to run a PostgreSQL instance: docker run -d -p 5432:5432 -e POSTGRESQL_PASSWORD=password docker.io/bitnami/postgresql:14.2.0-debian-10-r14) and a Java 11 JDK (although the latest version of Liferay supports Java 17 and 21, the Blade CLI still passes arguments that were removed in Java 8 and are considered invalid in recent versions of Java).

1. Use the Blade CLI to create a Liferay 7.3 workspace: blade init -v portal-7.3-ga7 && blade server init.
2. Edit bundles/portal-ext.properties to point at the external database.
3. Run the server to create and populate the database schema: blade server run
4. Use the database upgrade tool (Using the Database Upgrade Tool - Liferay Learn) to upgrade the database schema to 7.4.3 GA 129.
5. Use the Blade CLI to create a Liferay 7.4 workspace: blade init -v portal-7.4-ga129 && blade server init.
6. Edit bundles/portal-ext.properties to point at the external database.
7. Run the server: blade server run.
8. Logging in to Liferay on localhost:8080 as test@liferay.com:
   1. Add the calendar widget to the home page.
   2. Add an event to the user calendar.
   3. Try to delete the event - it fails with a 403 Forbidden response.
   4. In the Control Panel, go to System Settings > API Authentication > Portal Sessions and note that there's nothing there.
9. Compare this to a fresh install of Liferay 7.4:
   1. Stop the server using ctrl-c, clear the database (if you're using docker, just stop the container and start a new one) and restart the server.
   2. Redo step 8 and note that the Portal Sessions settings now have a URLs Includes entry with value /api/json*,/api/jsonws*,/c/portal/json_service*.

To me, this seems to be an obvious bug in the upgrade process.  An upgraded Liferay installation shouldn't be lacking required configuration that a fresh installation has.  This issue is currently blocking us upgrading our clients to the latest version of Liferay.

For completeness, below are the contents of the configuration_ table at various stages of the process.

In Liferay 7.3.6 GA7:

postgres=# select configurationid from configuration_;
                                                                                        configurationid
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 com.liferay.oauth2.provider.scope.internal.configuration.BundlePrefixHandlerFactoryConfiguration.34bb94a7-06cf-4d22-9d34-ec6ae5a515aa
 com.liferay.commerce.product.configuration.CPDefinitionLinkTypeConfiguration.63452976-e696-4d40-9191-ca61a634d7ad
 org.apache.aries.jax.rs.jackson
 com.liferay.document.library.document.conversion.internal.security.auth.verifier.image.request.module.configuration.ImageRequestAuthVerifierConfiguration.cf0ee241-314e-4ae9-8c7f-0581f4dfb4ec
 com.liferay.oauth2.provider.scope.internal.configuration.ConfigurableScopeMapperConfiguration.c938ffbd-93ee-4211-b6d6-372376ab93af
 com.liferay.portal.security.auth.verifier.internal.portal.session.configuration.PortalSessionAuthVerifierConfiguration.ce83585e-c9f2-462e-af1d-c2bc1302950d
 com.liferay.portal.security.auth.verifier.internal.basic.auth.header.configuration.BasicAuthHeaderAuthVerifierConfiguration.06f16fe0-e535-4a77-9fe3-7a8047c8acf4
 com.liferay.commerce.product.configuration.CPDefinitionLinkTypeConfiguration.9c9cd697-633b-472b-a639-480557e90180
 com.liferay.portal.security.auth.verifier.internal.tunnel.configuration.TunnelAuthVerifierConfiguration.7fcb6973-d9c7-482e-9ca4-b133ab825da4
 com.liferay.headless.commerce.delivery.cart.internal.jaxrs.application.HeadlessCommerceDeliveryCartApplication.e1a66db6-e501-4a9f-8c15-f929d9fc33ea
 org.apache.aries.jax.rs.whiteboard.default
 com.liferay.portal.security.antisamy.configuration.AntiSamyClassNameConfiguration.99337f19-9dc4-414a-a122-b61670c3ded9
 com.liferay.commerce.product.configuration.CPDefinitionLinkTypeConfiguration.a2dcb630-a9a7-49a8-945e-51cb84cdfd9b
 com.liferay.commerce.product.configuration.CPDefinitionLinkTypeConfiguration.e661476c-dd66-45a3-9c9b-ab31a1039ce6
 com.liferay.portal.vulcan.internal.configuration.VulcanConfiguration.9e0b57f1-c287-4eee-8758-8e3b754d8d04
 com.liferay.commerce.product.configuration.CPDefinitionLinkTypeConfiguration.6b89bb50-d27d-4749-8d64-67a19c1b13ed
 com.liferay.organizations.internal.configuration.OrganizationTypeConfiguration.bb5a4bf4-5fb1-4eac-9ffe-5997997ad67d
(17 rows)

After upgrading the database to Liferay 7.4.3 GA 129:

postgres=# select configurationid from configuration_;
                                        configurationid
------------------------------------------------------------------------------------------------
 com.liferay.captcha.configuration.CaptchaConfiguration
 com.liferay.oauth2.provider.rest.internal.configuration.OAuth2AuthorizationServerConfiguration
 com.liferay.layout.seo.web.internal.configuration.LayoutSEODynamicRenderingConfiguration
 com.liferay.journal.web.internal.configuration.JournalWebConfiguration
 com.liferay.batch.engine.configuration.BatchEngineTaskConfiguration
(5 rows)

Most of the configuration has been deleted (which may or may not be intentional).  As an aside, I notice that the report generated by the upgrade tool is a lie, claiming that there were initially only 2 rows, when in fact there were 17.

After running Liferay 7.4.3 GA 129 against the upgraded database:

postgres=# select configurationid from configuration_;
                                                       configurationid
-----------------------------------------------------------------------------------------------------------------------------
 com.liferay.captcha.configuration.CaptchaConfiguration
 com.liferay.oauth2.provider.rest.internal.configuration.OAuth2AuthorizationServerConfiguration
 com.liferay.layout.seo.web.internal.configuration.LayoutSEODynamicRenderingConfiguration
 com.liferay.journal.web.internal.configuration.JournalWebConfiguration
 com.liferay.batch.engine.configuration.BatchEngineTaskConfiguration
 com.liferay.commerce.payment.configuration.CommercePaymentEntryRefundTypeConfiguration~0a28ef1a-2ec3-4564-8a1a-bd9a71cb7446
 com.liferay.commerce.payment.configuration.CommercePaymentEntryRefundTypeConfiguration~a622c2b8-7b59-4be9-a618-fbfd3d72ea1c
 com.liferay.commerce.payment.configuration.CommercePaymentEntryRefundTypeConfiguration~b7bc2dd8-b7a2-4ad6-8dc6-584fad12e4fa
 com.liferay.portal.vulcan.internal.configuration.VulcanCompanyConfiguration~4cef77cb-e060-4756-9c1e-13bcda3c3d8a
 com.liferay.portal.vulcan.internal.configuration.VulcanCompanyConfiguration~ca03b7de-abc6-4c21-995d-2774a6d19960
 com.liferay.portal.vulcan.internal.configuration.VulcanCompanyConfiguration~8d32944d-cb01-4b2a-92ca-43cf8709a7ea
 com.liferay.portal.vulcan.internal.configuration.VulcanCompanyConfiguration~814b1717-c2eb-4946-a67d-2e0055bbb83e
(12 rows)

There are a few new entries, but not as many as before the upgrade and the relevent setting for this issue (com.liferay.portal.security.auth.verifier.internal.portal.session.configuration.PortalSessionAuthVerifierConfiguration) is still missing.

Compare a fresh Liferay 7.4.3 GA 129 install:

postgres=# select configurationid from configuration_;
                                                                          configurationid
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
 com.liferay.portal.remote.cors.configuration.PortalCORSConfiguration~default
 org.apache.aries.jax.rs.jackson
 com.liferay.adaptive.media.image.internal.configuration.AMImageMagickConfiguration
 com.liferay.organizations.internal.configuration.OrganizationTypeConfiguration~default
 com.liferay.headless.commerce.delivery.cart.internal.jaxrs.application.HeadlessCommerceDeliveryCartApplication~default
 com.liferay.document.library.document.conversion.internal.security.auth.verifier.image.request.module.configuration.ImageRequestAuthVerifierConfiguration~default
 com.liferay.oauth2.provider.rest.internal.configuration.OAuth2AuthorizationServerConfiguration
 org.apache.aries.jax.rs.whiteboard.default
 com.liferay.portal.security.antisamy.configuration.AntiSamyClassNameConfiguration~blogs
 com.liferay.portal.security.antisamy.configuration.AntiSamyClassNameConfiguration~knowledgebase
 com.liferay.commerce.product.configuration.CPDefinitionLinkTypeConfiguration~accessories
 com.liferay.commerce.product.configuration.CPDefinitionLinkTypeConfiguration~cross-sell
 com.liferay.commerce.product.configuration.CPDefinitionLinkTypeConfiguration~related
 com.liferay.commerce.product.configuration.CPDefinitionLinkTypeConfiguration~spare
 com.liferay.commerce.product.configuration.CPDefinitionLinkTypeConfiguration~up-sell
 com.liferay.oauth2.provider.scope.internal.configuration.BundlePrefixHandlerFactoryConfiguration~default
 com.liferay.oauth2.provider.scope.internal.configuration.ConfigurableScopeMapperConfiguration~default
 com.liferay.portal.vulcan.internal.configuration.VulcanConfiguration~bulk
 com.liferay.portal.security.auth.verifier.internal.basic.auth.header.configuration.BasicAuthHeaderAuthVerifierConfiguration~default
 com.liferay.portal.security.auth.verifier.internal.portal.session.configuration.PortalSessionAuthVerifierConfiguration~default
 com.liferay.portal.security.auth.verifier.internal.tunnel.configuration.TunnelAuthVerifierConfiguration~default
 com.liferay.commerce.payment.configuration.CommercePaymentEntryRefundTypeConfiguration~f94ba4cb-5c56-4f2b-b562-a9df50af0452
 com.liferay.commerce.payment.configuration.CommercePaymentEntryRefundTypeConfiguration~857ecdd6-d17c-4cc9-835b-aefa3526c28d
 com.liferay.commerce.payment.configuration.CommercePaymentEntryRefundTypeConfiguration~a3305cfc-ac57-4dce-b7e2-363a8b904a57
 com.liferay.portal.vulcan.internal.configuration.VulcanCompanyConfiguration~ba73bc95-4098-4a74-adf8-020cbc617383
 com.liferay.portal.vulcan.internal.configuration.VulcanCompanyConfiguration~c605fc0d-afd1-473b-8cc0-9c79a6a0ce36
 com.liferay.portal.vulcan.internal.configuration.VulcanCompanyConfiguration~555332f3-b725-4e64-9d16-b58e637f6bff
 com.liferay.portal.vulcan.internal.configuration.VulcanCompanyConfiguration~be85747e-23db-4df2-aa7a-ba079a333a72
(28 rows)