PortalUtil.getUser(httpServletRequest) Does not return the logged in user

RE: RE: PortalUtil.getUser(httpServletRequest) Does not return the logged in user

2024-02-12T17:46:39Z

Hi Christoph Rabel, first, thank you very much for the return.

Passing header in request works perfectly. However, in my case, the second suggestion would be more appropriate to my context.

However, testing the configuration via portal-ext.properties did not work. What am I missing in the configuration?
Here is the example.

#whitelist services in portal-ext.properties:
auth.token.ignore.origins=\
com.test.rest.application.TestRestApplication

I did, as described here:

https://docs.liferay.com/portal/7.4-ga92/propertiesdoc/portal.properties.html

Thank you!

RE: PortalUtil.getUser(httpServletRequest) Does not return the logged in user

2024-02-05T14:58:07Z

Newer versions of Liferay need the CSRF token in the request, preferrably as a header. If it isn't present, the auth verifier "strips" the user from the request and the call is not authenticated.

So, we usually set it in our javascript applications modules as a header, e.g.

fetch(
"/o/<my-rest-service>,
{ headers: {"x-csrf-token": window.Liferay.authToken}}
).then(..)

This is the preferred approach!

But this is sometimes not possible (or tricky) for various reasons. So, there is a second mechanism to whitelist urls and not require the token. BUT you must do this only for readonly requests (GET Requests usually are, but who knows), and make sure, that there is no security issue due to the missing CSRF token. Again: The first approach is preferable.
You can whitelist services in portal-ext.properties:
auth.token.ignore.origins=<my-rest-service>, <my-rest-service2>, ...

PortalUtil.getUser(httpServletRequest) Does not return the logged in user

2024-01-31T17:43:13Z

PortalUtil.getUser(httpServletRequest) Does not return the logged in user, but the default user on Liferay Digital Experience Platform 7.4.13 Update 92
I have a JAX-RS application that has the implementation of retrieving the logged in user to perform some validations, the implementation was working as expected on version U52, but when I use the U95 version does not work as expected, the returned user is default.

Looking at the documentation and the github I was not able to notice something that may have changed between these versions, because apparently nothing has changed in the PortalUtil class from U52 to U92.

Does anyone know if anything has changed and how can we now retrieve the logged in user in the context of a JAX-RS app?

I tried this too and it didn't work:

ServiceContext serviceContext = ServiceContextFactory.getInstance(httpServletRequest);

User user = serviceContext.getUser();

********************************************************

HttpSession httpSession = httpServletRequest.getSession();

User user = (User) httpSession.getAttribute(WebKeys.USER);

Here’s an example of what I’ve coded:

@Component(immediate = true,
   property = {
       JaxrsWhiteboardConstants.JAX_RS_APPLICATION_BASE + "=greetings",
       JaxrsWhiteboardConstants.JAX_RS_NAME + "=Greetings.Rest",
       "jaxrs.application=true",
       "auth.verifier.guest.allowed=false",
       "liferay.oauth2=false"
   },

configurationPolicy = ConfigurationPolicy.OPTIONAL,
service = Application.class
)

@ApplicationPath("/greetings")
public class TestRestApplication extends Application {

private static final Log LOG = LogFactoryUtil.getLog(TestRestApplication.class);

   public Set<Object> getSingletons() {
       LOG.info("Start******");
       return Collections.<Object>singleton(this);
   }

   @GET
   @Path("/user/logged")
   @Produces("text/plain")
   public String getUserLoggedIn(@Context HttpServletRequest httpServletRequest) throws PortalException {

User user = PortalUtil.getUser(httpServletRequest);
       String screenName=user.getScreenName();
       String emailAddress=user.getEmailAddress();

       LOG.info("********screenName:"+screenName+"\n"+"emailAddress:"+emailAddress);
       return "screenName:"+screenName+"\n"+"emailAddress:"+emailAddress;
   }

}

Thank you.