Daniele Baggio 4 Years Ago - Edited Do You think liferay releases a new 6.2 patched bundle (GA7?). 6.2 CE installations are many around... Please sign in to reply. Reply as... Cancel Arun Das Daniele Baggio 4 Years Ago - Edited AFAIK, once the new Liferay is released there won't be anymore releases for older versions. Please sign in to reply. Reply as... Cancel
Arun Das Daniele Baggio 4 Years Ago - Edited AFAIK, once the new Liferay is released there won't be anymore releases for older versions. Please sign in to reply. Reply as... Cancel
Dominik Marks 4 Years Ago - Edited Are there any binary patches available for the Liferay versions above? The links provide source code patches only. Please sign in to reply. Reply as... Cancel Samuel Kong Dominik Marks 4 Years Ago There's currently no plans to create binary patches. But if anyone wants to create the binary patch, I'll be happy to link to them. Please sign in to reply. Reply as... Cancel Dave . Samuel Kong 4 Years Ago - Edited Hi Samuel, may you help me with the creation of the binary patch for Liferay Portal 6.2 GA6? Thanks! Please sign in to reply. Reply as... Cancel Samuel Kong Dave . 4 Years Ago Dave, can you repost your question on the forms. These comments are probably not the best place to help you with building a patch since this may require some back and forth. But in general, you'll want to check out the source code (including the patch) from GitHub. After you have the code, type 'ant all' at the command line to create a build. But there's a lot of details in that last step which is why is probably better to have this discussion in the forums. Please sign in to reply. Reply as... Cancel Grégoire Lapicque Dominik Marks 4 Years Ago - Edited I am also interested in a binary patch for the version 6.2 GA6 Please sign in to reply. Reply as... Cancel
Samuel Kong Dominik Marks 4 Years Ago There's currently no plans to create binary patches. But if anyone wants to create the binary patch, I'll be happy to link to them. Please sign in to reply. Reply as... Cancel Dave . Samuel Kong 4 Years Ago - Edited Hi Samuel, may you help me with the creation of the binary patch for Liferay Portal 6.2 GA6? Thanks! Please sign in to reply. Reply as... Cancel Samuel Kong Dave . 4 Years Ago Dave, can you repost your question on the forms. These comments are probably not the best place to help you with building a patch since this may require some back and forth. But in general, you'll want to check out the source code (including the patch) from GitHub. After you have the code, type 'ant all' at the command line to create a build. But there's a lot of details in that last step which is why is probably better to have this discussion in the forums. Please sign in to reply. Reply as... Cancel
Dave . Samuel Kong 4 Years Ago - Edited Hi Samuel, may you help me with the creation of the binary patch for Liferay Portal 6.2 GA6? Thanks! Please sign in to reply. Reply as... Cancel Samuel Kong Dave . 4 Years Ago Dave, can you repost your question on the forms. These comments are probably not the best place to help you with building a patch since this may require some back and forth. But in general, you'll want to check out the source code (including the patch) from GitHub. After you have the code, type 'ant all' at the command line to create a build. But there's a lot of details in that last step which is why is probably better to have this discussion in the forums. Please sign in to reply. Reply as... Cancel
Samuel Kong Dave . 4 Years Ago Dave, can you repost your question on the forms. These comments are probably not the best place to help you with building a patch since this may require some back and forth. But in general, you'll want to check out the source code (including the patch) from GitHub. After you have the code, type 'ant all' at the command line to create a build. But there's a lot of details in that last step which is why is probably better to have this discussion in the forums. Please sign in to reply. Reply as... Cancel
Grégoire Lapicque Dominik Marks 4 Years Ago - Edited I am also interested in a binary patch for the version 6.2 GA6 Please sign in to reply. Reply as... Cancel
Fredi B 4 Years Ago - Edited I can't belive that Liferay is not delivering binary patches. I tried to compile binaries from source, first with JDK11 - i quickly realized that this is a problem, then with JDK8. After 30-40 MINUTES I run into errors. We have an insecure application running and can't fix these vulnerabilites now? This is a nogo. Please sign in to reply. Reply as... Cancel Arun Das Fredi B 4 Years Ago - Edited Hi Fredi, I understand your concern. Usually, all binary patches for these vulnerabilities are released for DXP subscribers only. All thanks to the community security team, that atleast they are pushing these patches to older versions of Liferay as well or else, we would have to check the latest fixes on the master branch and port it back manually to older versions. Regards, Arun Please sign in to reply. Reply as... Cancel
Arun Das Fredi B 4 Years Ago - Edited Hi Fredi, I understand your concern. Usually, all binary patches for these vulnerabilities are released for DXP subscribers only. All thanks to the community security team, that atleast they are pushing these patches to older versions of Liferay as well or else, we would have to check the latest fixes on the master branch and port it back manually to older versions. Regards, Arun Please sign in to reply. Reply as... Cancel
Arun Das 4 Years Ago - Edited Hello, Here is the Liferay 6.2 build based on https://github.com/community-security-team/liferay-portal/tree/6.2.5-cumulative with Apache Tomcat 7.0.103, JDK 1.7_80 https://1drv.ms/u/s!AtN9b49hmJkTiIB7og5TQYH4ZuaoKg?e=7JrM2X If someone from Liferay could verify, that would be great. Regards, Arun Please sign in to reply. Reply as... Cancel
Arun Das 4 Years Ago - Edited Hi Samuel, I've uploaded Liferay 6.2 march 2020 fixes binaries https://1drv.ms/u/s!AtN9b49hmJkTiIB87ak7ce8PQv3xFA?e=ZC3PkV Can you please help verify? Regards, Arun Please sign in to reply. Reply as... Cancel Samuel Kong Arun Das 4 Years Ago Thank you Arun. I've added a link to your patches in my post. Please sign in to reply. Reply as... Cancel Grégoire Lapicque Arun Das 4 Years Ago - Edited Hi Arun, Thank you for the patch. To make it work, I had to copy the missing webapps (marketplace, etc.) from my previous server, and edit tomcat\conf\catalina.properties : L49 : common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar,${catalina.home}/lib/ext,${catalina.home}/lib/ext/*.jar Regards Grégoire Please sign in to reply. Reply as... Cancel Arun Das Grégoire Lapicque 4 Years Ago - Edited Hello Grégoire, Yep, for the Link 1 which is a complete build you are required to add those files manually. You could check the Link 2 (https://1drv.ms/u/s!AtN9b49hmJkTiIB87ak7ce8PQv3xFA?e=ZC3PkV) which is just the patches only. Also, you could check out this blog (https://liferay.dev/blogs/-/blogs/creating-liferay-security-binary-patches) by Dominik on how to create binary patch. Regards, Arun Please sign in to reply. Reply as... Cancel Karthik Seeni Arun Das 9 Months Ago - Edited Hi Arun, The links for patches in binary looks to be broken ,can you please provide the link for to download the patches, thanks Please sign in to reply. Reply as... Cancel Johannes Feulner Arun Das 4 Years Ago - Edited Hi Arun, thanks for the patches. They work fine in my installation except for FacebookConnect. Connects via Facebook fail when calls to /c/login/facebook_connect_outh return "Server Error (500)". See the stack trace below. Any idea what could/should be done? Thanks, Johannes Caused by: com.liferay.portal.kernel.exception.SystemException: Unable to retrieve Facebook access token at com.liferay.portal.facebook.FacebookConnectImpl.getAccessToken(FacebookConnectImpl.java:91) at com.liferay.portal.kernel.facebook.FacebookConnectUtil.getAccessToken(FacebookConnectUtil.java:34) at com.liferay.portlet.login.action.FacebookConnectAction.strutsExecute(FacebookConnectAction.java:102) at com.liferay.portal.struts.PortletAction.execute(PortletAction.java:116) at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431) ... 85 more Caused by: java.lang.NullPointerException at com.liferay.portal.util.HttpImpl.URLtoInputStream(HttpImpl.java:1735) at com.liferay.portal.util.HttpImpl.URLtoByteArray(HttpImpl.java:1547) at com.liferay.portal.util.HttpImpl.URLtoByteArray(HttpImpl.java:1095) at com.liferay.portal.util.HttpImpl.URLtoString(HttpImpl.java:1159) at com.liferay.portal.kernel.util.HttpUtil.URLtoString(HttpUtil.java:428) at com.liferay.portal.facebook.FacebookConnectImpl.getAccessToken(FacebookConnectImpl.java:74) Please sign in to reply. Reply as... Cancel Arun Das Johannes Feulner 4 Years Ago - Edited Hi Johannes, I just build based on the https://github.com/community-security-team/liferay-portal/tree/6.2.5-cumulative and not changed any of the code. And I don't see any updates done to the FacebookConnect in that branch. Probably, Facebook implementations has changed since Liferay 6.2.5. The best place to start discussion in the forums/slack (liferay-community.slack.com). Should be able to cook up an EXT plugin to change the implementation. Regards, Arun Please sign in to reply. Reply as... Cancel Nicola Baiocco Arun Das 4 Years Ago - Edited Hi Aruns, for me the point is not on FacebookConnect but in HttpImpl.java (that changed a lot) used by FacebookConnectAction. Nicola Please sign in to reply. Reply as... Cancel Arun Das Nicola Baiocco 4 Years Ago - Edited Hello Nicola, Not sure on that. But, found the discussion over https://liferay.dev/forums/-/message_boards/message/87677757 on a quick forum search. If still facing issues, please update the above thread or start a new thread in the forum as there are more users who might be able to help. Regards, Arun Please sign in to reply. Reply as... Cancel Nicola Baiocco Johannes Feulner 4 Years Ago - Edited Maybe someone introduced a NullPointer at com.liferay.portal.util.HttpImpl.URLtoInputStream(HttpImpl.java:1735) we have the same issue in code on that invocation. Please sign in to reply. Reply as... Cancel Johannes Feulner Nicola Baiocco 4 Years Ago - Edited Nicola, I agree. HttpImpl.java is the problem. I die the following: 'git clone https://github.com/community-security-team/liferay-portal.git' 'git checkout 6.2.5-ga6' 'ant all ' fails Debugging the application that source code attached shows, that HttpImpl.java of Arun's patch is not the HttpImpl.java from my checkout. However, 'ant all' fails on my machine with the following message , so I do not know how to proceed with indentifiying the problem. @Arun: Can you figure out what the problem with HttImpl.java is or give me a hint how to reproduce your patch? Thanks, Johannes 1. ERROR in /home/johannes/scorio/liferay-portal/portal-impl/src/com/liferay/portal/jsonwebservice/JSONWebServiceActionImpl.java (at line 379) [javac] if (!ReflectUtil.isSubclass( [javac] ^^^^^^^^^^ [javac] The method isSubclass(Class<capture#61-of ?>, Class<capture#62-of ?>) is undefined for the type ReflectUtil Please sign in to reply. Reply as... Cancel Arun Das Johannes Feulner 4 Years Ago - Edited you can check this post https://liferay.dev/blogs/-/blogs/creating-liferay-security-binary-patches for building patch Please sign in to reply. Reply as... Cancel Samuel Kong Johannes Feulner 4 Years Ago For those having problems with Facebook Connect on Liferay Portal 6.2. we've pushed an an additional commit to the branch that will hopefully address this issue. Johannes, thank you for letting us know about this issue. Please sign in to reply. Reply as... Cancel Johannes Feulner Samuel Kong 4 Years Ago - Edited Hi Samuel, good to hear you've addressed this issue. Where would I find that commit? I've been looking at https://github.com/liferay/liferay-portal.git branches 6.2 and 6.2.x as well as on https://github.com/community-security-team/liferay-portal.git but could not find. Johannes Please sign in to reply. Reply as... Cancel Nicola Baiocco Johannes Feulner 4 Years Ago - Edited Hi Johannes, probably is this: https://github.com/community-security-team/liferay-portal/commit/5f3601ccfbfa2eece97211bc36e4f2fbba4592ba Best regards Please sign in to reply. Reply as... Cancel Arun Das Johannes Feulner 4 Years Ago - Edited Hi, I've updated the patches here is the link https://1drv.ms/u/s!AtN9b49hmJkTiIEF8pvMBH06NMSF-w?e=NesCHg Can you help me test this? Regards, Arun Please sign in to reply. Reply as... Cancel Johannes Feulner Arun Das 4 Years Ago - Edited @Nicola: Thank you so much for showing me how to get the commit. I am definitely not a git expert. The commit works in so far, that it resolves the NPE in HttpUtil.java. However there are other bugs preventing Facebook Connect from working. @Arun: I'm happy to help with testing. Thanks to your help I could compile Liferay from source and debug ist. I think I've now identified the problems with Facebook Connect. I will continue with testing tomorrow and report my results, hopefully positive ones. Johannes Please sign in to reply. Reply as... Cancel Johannes Feulner Johannes Feulner 4 Years Ago - Edited Hi Arun, we tested 6.2.5-cumulative and created a patch to get Facebook Connect to work. The patch draws on replies to my post https://liferay.dev/forums/-/message_boards/message/87677757 and the workaround I had developed for that. The patch addresses two issues: HttpUtil calls HTTPS URLs as HTTP only; Facebook has changed the Facebook Connect API. Tests of 6.2.5-cumulative with our patch applied are all positive. We will put that version into production. If you added our patch into 6.2.5-cumulative we will gladly retest that version. Thanks for your substantial help and quick responses, Johannes ---------------------------------------------------------------------------------------------------------------------------- From aead75af36aebc5e02e37ee40fe2c415c9be7759 Mon Sep 17 00:00:00 2001 From: Johannes Feulner <johannes.feulner@scorio.com> Date: Tue, 28 Apr 2020 10:59:29 +0200 Subject: [PATCH 2/2] Fixed HTTPImpl.java for calling HTTPS URls; Fixed FacebookConnect.java for current API --- .../com/liferay/portal/facebook/FacebookConnectImpl.java | 15 ++++++++++++++- portal-impl/src/com/liferay/portal/util/HttpImpl.java | 2 +- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/portal-impl/src/com/liferay/portal/facebook/FacebookConnectImpl.java b/portal-impl/src/com/liferay/portal/facebook/FacebookConnectImpl.java index e52e418..1192a0b 100644 --- a/portal-impl/src/com/liferay/portal/facebook/FacebookConnectImpl.java +++ b/portal-impl/src/com/liferay/portal/facebook/FacebookConnectImpl.java @@ -74,6 +74,7 @@ public class FacebookConnectImpl implements FacebookConnect { String content = HttpUtil.URLtoString(options); if (Validator.isNotNull(content)) { + /* Facebook Connect API pre 2.3 int x = content.indexOf("access_token="); if (x >= 0) { @@ -84,7 +85,19 @@ public class FacebookConnectImpl implements FacebookConnect { } return content.substring(x + 13, y); - } + } */ + + /* [Oauth Access Token] Format according to Facebook + * The response format of + * https://www.facebook.com/v2.3/oauth/access_token returned + * when you exchange a code for an access_token now return + * valid JSON instead of being URL encoded. The new format + * of this response is {"access_token": {TOKEN}, + * "token_type":{TYPE}, "expires_in":{TIME}}. We made this + * update to be compliant with section 5.1 of RFC 6749. + */ + String accessToken = JSONFactoryUtil.createJSONObject(content).getString("access_token"); + return accessToken; } } catch (Exception e) { diff --git a/portal-impl/src/com/liferay/portal/util/HttpImpl.java b/portal-impl/src/com/liferay/portal/util/HttpImpl.java index 0e1c824..ad81018 100644 --- a/portal-impl/src/com/liferay/portal/util/HttpImpl.java +++ b/portal-impl/src/com/liferay/portal/util/HttpImpl.java @@ -1609,7 +1609,7 @@ public class HttpImpl implements Http { _cookies.set(null); HttpHost targetHttpHost = new HttpHost( - uri.getHost(), uri.getPort()); + uri.getHost(), uri.getPort(), uri.getScheme()); RequestConfig.Builder requestConfigBuilder = getRequestConfigBuilder(uri, timeout); -- 2.7.4 Please sign in to reply. Reply as... Cancel Arun Das Johannes Feulner 4 Years Ago - Edited Hello Johannes, Here is the link with the FB Connect update https://1drv.ms/u/s!AtN9b49hmJkTiIEGXlsboskImDsLew?e=1BWrGS Do test and let us know Regards, Arun Please sign in to reply. Reply as... Cancel Johannes Feulner Arun Das 4 Years Ago - Edited Hi Arun, I've tested your new update from https://1drv.ms/u/s!AtN9b49hmJkTiIEGXlsboskImDsLew?e=1BWrGS inlcuding FB Connect fixes and it worked fine for me at www.scorio.com running tomcat 7.0.62. Thanks again. Three things I'd like to ask/mention: 1. I've noted that https://github.com/liferay/liferay-portal.git would also need the FacebookConnect update. Just a proposal. 2. I've got the impression that your code is running faster than what I compiled myself from https://github.com/community-security-team/liferay-portal.git with JDK jdk1.7.0_80. Could there be a reason for that? 3. When clicking on "Portal Settings" from control panel page and again when clicking there on "Save" I see the following warnings in catalina.out which I do not remember to have seen before: 0:56:27,586 WARN [ajp-bio-8089-exec-15][PortalImpl:7510] Unable to impersonate 2 hiRF3/oAxXHWXpO DSiA== because the string cannot be decrypted 10:56:27,595 WARN [ajp-bio-8089-exec-11][PortalImpl:7510] Unable to impersonate 2 hiRF3/oAxXHWXpO DSiA== because the string cannot be decrypted 10:56:27,596 WARN [ajp-bio-8089-exec-5][PortalImpl:7510] Unable to impersonate 2 hiRF3/oAxXHWXpO DSiA== because the string cannot be decrypted 10:56:27,614 WARN [ajp-bio-8089-exec-11][PortalImpl:7510] Unable to impersonate 2 hiRF3/oAxXHWXpO DSiA== because the string cannot be decrypted 10:56:27,614 WARN [ajp-bio-8089-exec-5][PortalImpl:7510] Unable to impersonate 2 hiRF3/oAxXHWXpO DSiA== because the string cannot be decrypted Regards, Johannes Please sign in to reply. Reply as... Cancel Arun Das Johannes Feulner 3 Years Ago - Edited Hi Johannes, Thanks for the update. For your info, 6.2.x branch is no more updated by Liferay. I'm not sure on the 2nd item on how my code is running faster as I just clone the repo from https://github.com/community-security-team/liferay-portal.git and made the FB connect changes and compiled using jdk 1.7_80. For item 3, I noticed that Liferay already fixed in EE https://issues.liferay.com/browse/LPS-60816. Unfortunately, since its a private repo I don't have access to it. Regards, Arun Please sign in to reply. Reply as... Cancel Caleb Hamilton Arun Das 3 Years Ago - Edited Hi Arun, I am running the Liferay-tomcat fix you provided. I notice a bug on the page Server Administration. This bug I have found running Liferay-6.2-ce-ga6 on Tomcat more recent than 7.0.62. Have you found an issue with the page, and do you know how to solve for it? Cheers, Caleb Please sign in to reply. Reply as... Cancel Arun Das Caleb Hamilton 3 Years Ago - Edited Hi Caleb, Are you referring to the following issue "The code of method _jspService(HttpServletRequest, HttpServletResponse) is exceeding the 65535 bytes limit" Here is the ticket related to this https://issues.liferay.com/browse/LPS-70778 Since, that's a private repo I couldn't really get that fix. But, a workaround was also mentioned there which is to replace tomcat-7.0.xx/lib/jasper.jar with an older version of jasper.jar from tomcat-7.0.62 Hope this helps Regards, Arun Please sign in to reply. Reply as... Cancel Caleb Hamilton Arun Das 3 Years Ago - Edited Hi Arun, Swapping out the library tomcat/lib/jasper.jar on tomcat-7.0.103 for that from Tomcat-7.0.62 seems to have done the job. Thanks, Caleb Please sign in to reply. Reply as... Cancel
Samuel Kong Arun Das 4 Years Ago Thank you Arun. I've added a link to your patches in my post. Please sign in to reply. Reply as... Cancel
Grégoire Lapicque Arun Das 4 Years Ago - Edited Hi Arun, Thank you for the patch. To make it work, I had to copy the missing webapps (marketplace, etc.) from my previous server, and edit tomcat\conf\catalina.properties : L49 : common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar,${catalina.home}/lib/ext,${catalina.home}/lib/ext/*.jar Regards Grégoire Please sign in to reply. Reply as... Cancel Arun Das Grégoire Lapicque 4 Years Ago - Edited Hello Grégoire, Yep, for the Link 1 which is a complete build you are required to add those files manually. You could check the Link 2 (https://1drv.ms/u/s!AtN9b49hmJkTiIB87ak7ce8PQv3xFA?e=ZC3PkV) which is just the patches only. Also, you could check out this blog (https://liferay.dev/blogs/-/blogs/creating-liferay-security-binary-patches) by Dominik on how to create binary patch. Regards, Arun Please sign in to reply. Reply as... Cancel Karthik Seeni Arun Das 9 Months Ago - Edited Hi Arun, The links for patches in binary looks to be broken ,can you please provide the link for to download the patches, thanks Please sign in to reply. Reply as... Cancel
Arun Das Grégoire Lapicque 4 Years Ago - Edited Hello Grégoire, Yep, for the Link 1 which is a complete build you are required to add those files manually. You could check the Link 2 (https://1drv.ms/u/s!AtN9b49hmJkTiIB87ak7ce8PQv3xFA?e=ZC3PkV) which is just the patches only. Also, you could check out this blog (https://liferay.dev/blogs/-/blogs/creating-liferay-security-binary-patches) by Dominik on how to create binary patch. Regards, Arun Please sign in to reply. Reply as... Cancel Karthik Seeni Arun Das 9 Months Ago - Edited Hi Arun, The links for patches in binary looks to be broken ,can you please provide the link for to download the patches, thanks Please sign in to reply. Reply as... Cancel
Karthik Seeni Arun Das 9 Months Ago - Edited Hi Arun, The links for patches in binary looks to be broken ,can you please provide the link for to download the patches, thanks Please sign in to reply. Reply as... Cancel
Johannes Feulner Arun Das 4 Years Ago - Edited Hi Arun, thanks for the patches. They work fine in my installation except for FacebookConnect. Connects via Facebook fail when calls to /c/login/facebook_connect_outh return "Server Error (500)". See the stack trace below. Any idea what could/should be done? Thanks, Johannes Caused by: com.liferay.portal.kernel.exception.SystemException: Unable to retrieve Facebook access token at com.liferay.portal.facebook.FacebookConnectImpl.getAccessToken(FacebookConnectImpl.java:91) at com.liferay.portal.kernel.facebook.FacebookConnectUtil.getAccessToken(FacebookConnectUtil.java:34) at com.liferay.portlet.login.action.FacebookConnectAction.strutsExecute(FacebookConnectAction.java:102) at com.liferay.portal.struts.PortletAction.execute(PortletAction.java:116) at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431) ... 85 more Caused by: java.lang.NullPointerException at com.liferay.portal.util.HttpImpl.URLtoInputStream(HttpImpl.java:1735) at com.liferay.portal.util.HttpImpl.URLtoByteArray(HttpImpl.java:1547) at com.liferay.portal.util.HttpImpl.URLtoByteArray(HttpImpl.java:1095) at com.liferay.portal.util.HttpImpl.URLtoString(HttpImpl.java:1159) at com.liferay.portal.kernel.util.HttpUtil.URLtoString(HttpUtil.java:428) at com.liferay.portal.facebook.FacebookConnectImpl.getAccessToken(FacebookConnectImpl.java:74) Please sign in to reply. Reply as... Cancel Arun Das Johannes Feulner 4 Years Ago - Edited Hi Johannes, I just build based on the https://github.com/community-security-team/liferay-portal/tree/6.2.5-cumulative and not changed any of the code. And I don't see any updates done to the FacebookConnect in that branch. Probably, Facebook implementations has changed since Liferay 6.2.5. The best place to start discussion in the forums/slack (liferay-community.slack.com). Should be able to cook up an EXT plugin to change the implementation. Regards, Arun Please sign in to reply. Reply as... Cancel Nicola Baiocco Arun Das 4 Years Ago - Edited Hi Aruns, for me the point is not on FacebookConnect but in HttpImpl.java (that changed a lot) used by FacebookConnectAction. Nicola Please sign in to reply. Reply as... Cancel Arun Das Nicola Baiocco 4 Years Ago - Edited Hello Nicola, Not sure on that. But, found the discussion over https://liferay.dev/forums/-/message_boards/message/87677757 on a quick forum search. If still facing issues, please update the above thread or start a new thread in the forum as there are more users who might be able to help. Regards, Arun Please sign in to reply. Reply as... Cancel Nicola Baiocco Johannes Feulner 4 Years Ago - Edited Maybe someone introduced a NullPointer at com.liferay.portal.util.HttpImpl.URLtoInputStream(HttpImpl.java:1735) we have the same issue in code on that invocation. Please sign in to reply. Reply as... Cancel Johannes Feulner Nicola Baiocco 4 Years Ago - Edited Nicola, I agree. HttpImpl.java is the problem. I die the following: 'git clone https://github.com/community-security-team/liferay-portal.git' 'git checkout 6.2.5-ga6' 'ant all ' fails Debugging the application that source code attached shows, that HttpImpl.java of Arun's patch is not the HttpImpl.java from my checkout. However, 'ant all' fails on my machine with the following message , so I do not know how to proceed with indentifiying the problem. @Arun: Can you figure out what the problem with HttImpl.java is or give me a hint how to reproduce your patch? Thanks, Johannes 1. ERROR in /home/johannes/scorio/liferay-portal/portal-impl/src/com/liferay/portal/jsonwebservice/JSONWebServiceActionImpl.java (at line 379) [javac] if (!ReflectUtil.isSubclass( [javac] ^^^^^^^^^^ [javac] The method isSubclass(Class<capture#61-of ?>, Class<capture#62-of ?>) is undefined for the type ReflectUtil Please sign in to reply. Reply as... Cancel Arun Das Johannes Feulner 4 Years Ago - Edited you can check this post https://liferay.dev/blogs/-/blogs/creating-liferay-security-binary-patches for building patch Please sign in to reply. Reply as... Cancel Samuel Kong Johannes Feulner 4 Years Ago For those having problems with Facebook Connect on Liferay Portal 6.2. we've pushed an an additional commit to the branch that will hopefully address this issue. Johannes, thank you for letting us know about this issue. Please sign in to reply. Reply as... Cancel Johannes Feulner Samuel Kong 4 Years Ago - Edited Hi Samuel, good to hear you've addressed this issue. Where would I find that commit? I've been looking at https://github.com/liferay/liferay-portal.git branches 6.2 and 6.2.x as well as on https://github.com/community-security-team/liferay-portal.git but could not find. Johannes Please sign in to reply. Reply as... Cancel Nicola Baiocco Johannes Feulner 4 Years Ago - Edited Hi Johannes, probably is this: https://github.com/community-security-team/liferay-portal/commit/5f3601ccfbfa2eece97211bc36e4f2fbba4592ba Best regards Please sign in to reply. Reply as... Cancel Arun Das Johannes Feulner 4 Years Ago - Edited Hi, I've updated the patches here is the link https://1drv.ms/u/s!AtN9b49hmJkTiIEF8pvMBH06NMSF-w?e=NesCHg Can you help me test this? Regards, Arun Please sign in to reply. Reply as... Cancel Johannes Feulner Arun Das 4 Years Ago - Edited @Nicola: Thank you so much for showing me how to get the commit. I am definitely not a git expert. The commit works in so far, that it resolves the NPE in HttpUtil.java. However there are other bugs preventing Facebook Connect from working. @Arun: I'm happy to help with testing. Thanks to your help I could compile Liferay from source and debug ist. I think I've now identified the problems with Facebook Connect. I will continue with testing tomorrow and report my results, hopefully positive ones. Johannes Please sign in to reply. Reply as... Cancel Johannes Feulner Johannes Feulner 4 Years Ago - Edited Hi Arun, we tested 6.2.5-cumulative and created a patch to get Facebook Connect to work. The patch draws on replies to my post https://liferay.dev/forums/-/message_boards/message/87677757 and the workaround I had developed for that. The patch addresses two issues: HttpUtil calls HTTPS URLs as HTTP only; Facebook has changed the Facebook Connect API. Tests of 6.2.5-cumulative with our patch applied are all positive. We will put that version into production. If you added our patch into 6.2.5-cumulative we will gladly retest that version. Thanks for your substantial help and quick responses, Johannes ---------------------------------------------------------------------------------------------------------------------------- From aead75af36aebc5e02e37ee40fe2c415c9be7759 Mon Sep 17 00:00:00 2001 From: Johannes Feulner <johannes.feulner@scorio.com> Date: Tue, 28 Apr 2020 10:59:29 +0200 Subject: [PATCH 2/2] Fixed HTTPImpl.java for calling HTTPS URls; Fixed FacebookConnect.java for current API --- .../com/liferay/portal/facebook/FacebookConnectImpl.java | 15 ++++++++++++++- portal-impl/src/com/liferay/portal/util/HttpImpl.java | 2 +- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/portal-impl/src/com/liferay/portal/facebook/FacebookConnectImpl.java b/portal-impl/src/com/liferay/portal/facebook/FacebookConnectImpl.java index e52e418..1192a0b 100644 --- a/portal-impl/src/com/liferay/portal/facebook/FacebookConnectImpl.java +++ b/portal-impl/src/com/liferay/portal/facebook/FacebookConnectImpl.java @@ -74,6 +74,7 @@ public class FacebookConnectImpl implements FacebookConnect { String content = HttpUtil.URLtoString(options); if (Validator.isNotNull(content)) { + /* Facebook Connect API pre 2.3 int x = content.indexOf("access_token="); if (x >= 0) { @@ -84,7 +85,19 @@ public class FacebookConnectImpl implements FacebookConnect { } return content.substring(x + 13, y); - } + } */ + + /* [Oauth Access Token] Format according to Facebook + * The response format of + * https://www.facebook.com/v2.3/oauth/access_token returned + * when you exchange a code for an access_token now return + * valid JSON instead of being URL encoded. The new format + * of this response is {"access_token": {TOKEN}, + * "token_type":{TYPE}, "expires_in":{TIME}}. We made this + * update to be compliant with section 5.1 of RFC 6749. + */ + String accessToken = JSONFactoryUtil.createJSONObject(content).getString("access_token"); + return accessToken; } } catch (Exception e) { diff --git a/portal-impl/src/com/liferay/portal/util/HttpImpl.java b/portal-impl/src/com/liferay/portal/util/HttpImpl.java index 0e1c824..ad81018 100644 --- a/portal-impl/src/com/liferay/portal/util/HttpImpl.java +++ b/portal-impl/src/com/liferay/portal/util/HttpImpl.java @@ -1609,7 +1609,7 @@ public class HttpImpl implements Http { _cookies.set(null); HttpHost targetHttpHost = new HttpHost( - uri.getHost(), uri.getPort()); + uri.getHost(), uri.getPort(), uri.getScheme()); RequestConfig.Builder requestConfigBuilder = getRequestConfigBuilder(uri, timeout); -- 2.7.4 Please sign in to reply. Reply as... Cancel Arun Das Johannes Feulner 4 Years Ago - Edited Hello Johannes, Here is the link with the FB Connect update https://1drv.ms/u/s!AtN9b49hmJkTiIEGXlsboskImDsLew?e=1BWrGS Do test and let us know Regards, Arun Please sign in to reply. Reply as... Cancel Johannes Feulner Arun Das 4 Years Ago - Edited Hi Arun, I've tested your new update from https://1drv.ms/u/s!AtN9b49hmJkTiIEGXlsboskImDsLew?e=1BWrGS inlcuding FB Connect fixes and it worked fine for me at www.scorio.com running tomcat 7.0.62. Thanks again. Three things I'd like to ask/mention: 1. I've noted that https://github.com/liferay/liferay-portal.git would also need the FacebookConnect update. Just a proposal. 2. I've got the impression that your code is running faster than what I compiled myself from https://github.com/community-security-team/liferay-portal.git with JDK jdk1.7.0_80. Could there be a reason for that? 3. When clicking on "Portal Settings" from control panel page and again when clicking there on "Save" I see the following warnings in catalina.out which I do not remember to have seen before: 0:56:27,586 WARN [ajp-bio-8089-exec-15][PortalImpl:7510] Unable to impersonate 2 hiRF3/oAxXHWXpO DSiA== because the string cannot be decrypted 10:56:27,595 WARN [ajp-bio-8089-exec-11][PortalImpl:7510] Unable to impersonate 2 hiRF3/oAxXHWXpO DSiA== because the string cannot be decrypted 10:56:27,596 WARN [ajp-bio-8089-exec-5][PortalImpl:7510] Unable to impersonate 2 hiRF3/oAxXHWXpO DSiA== because the string cannot be decrypted 10:56:27,614 WARN [ajp-bio-8089-exec-11][PortalImpl:7510] Unable to impersonate 2 hiRF3/oAxXHWXpO DSiA== because the string cannot be decrypted 10:56:27,614 WARN [ajp-bio-8089-exec-5][PortalImpl:7510] Unable to impersonate 2 hiRF3/oAxXHWXpO DSiA== because the string cannot be decrypted Regards, Johannes Please sign in to reply. Reply as... Cancel Arun Das Johannes Feulner 3 Years Ago - Edited Hi Johannes, Thanks for the update. For your info, 6.2.x branch is no more updated by Liferay. I'm not sure on the 2nd item on how my code is running faster as I just clone the repo from https://github.com/community-security-team/liferay-portal.git and made the FB connect changes and compiled using jdk 1.7_80. For item 3, I noticed that Liferay already fixed in EE https://issues.liferay.com/browse/LPS-60816. Unfortunately, since its a private repo I don't have access to it. Regards, Arun Please sign in to reply. Reply as... Cancel
Arun Das Johannes Feulner 4 Years Ago - Edited Hi Johannes, I just build based on the https://github.com/community-security-team/liferay-portal/tree/6.2.5-cumulative and not changed any of the code. And I don't see any updates done to the FacebookConnect in that branch. Probably, Facebook implementations has changed since Liferay 6.2.5. The best place to start discussion in the forums/slack (liferay-community.slack.com). Should be able to cook up an EXT plugin to change the implementation. Regards, Arun Please sign in to reply. Reply as... Cancel Nicola Baiocco Arun Das 4 Years Ago - Edited Hi Aruns, for me the point is not on FacebookConnect but in HttpImpl.java (that changed a lot) used by FacebookConnectAction. Nicola Please sign in to reply. Reply as... Cancel Arun Das Nicola Baiocco 4 Years Ago - Edited Hello Nicola, Not sure on that. But, found the discussion over https://liferay.dev/forums/-/message_boards/message/87677757 on a quick forum search. If still facing issues, please update the above thread or start a new thread in the forum as there are more users who might be able to help. Regards, Arun Please sign in to reply. Reply as... Cancel
Nicola Baiocco Arun Das 4 Years Ago - Edited Hi Aruns, for me the point is not on FacebookConnect but in HttpImpl.java (that changed a lot) used by FacebookConnectAction. Nicola Please sign in to reply. Reply as... Cancel Arun Das Nicola Baiocco 4 Years Ago - Edited Hello Nicola, Not sure on that. But, found the discussion over https://liferay.dev/forums/-/message_boards/message/87677757 on a quick forum search. If still facing issues, please update the above thread or start a new thread in the forum as there are more users who might be able to help. Regards, Arun Please sign in to reply. Reply as... Cancel
Arun Das Nicola Baiocco 4 Years Ago - Edited Hello Nicola, Not sure on that. But, found the discussion over https://liferay.dev/forums/-/message_boards/message/87677757 on a quick forum search. If still facing issues, please update the above thread or start a new thread in the forum as there are more users who might be able to help. Regards, Arun Please sign in to reply. Reply as... Cancel
Nicola Baiocco Johannes Feulner 4 Years Ago - Edited Maybe someone introduced a NullPointer at com.liferay.portal.util.HttpImpl.URLtoInputStream(HttpImpl.java:1735) we have the same issue in code on that invocation. Please sign in to reply. Reply as... Cancel Johannes Feulner Nicola Baiocco 4 Years Ago - Edited Nicola, I agree. HttpImpl.java is the problem. I die the following: 'git clone https://github.com/community-security-team/liferay-portal.git' 'git checkout 6.2.5-ga6' 'ant all ' fails Debugging the application that source code attached shows, that HttpImpl.java of Arun's patch is not the HttpImpl.java from my checkout. However, 'ant all' fails on my machine with the following message , so I do not know how to proceed with indentifiying the problem. @Arun: Can you figure out what the problem with HttImpl.java is or give me a hint how to reproduce your patch? Thanks, Johannes 1. ERROR in /home/johannes/scorio/liferay-portal/portal-impl/src/com/liferay/portal/jsonwebservice/JSONWebServiceActionImpl.java (at line 379) [javac] if (!ReflectUtil.isSubclass( [javac] ^^^^^^^^^^ [javac] The method isSubclass(Class<capture#61-of ?>, Class<capture#62-of ?>) is undefined for the type ReflectUtil Please sign in to reply. Reply as... Cancel Arun Das Johannes Feulner 4 Years Ago - Edited you can check this post https://liferay.dev/blogs/-/blogs/creating-liferay-security-binary-patches for building patch Please sign in to reply. Reply as... Cancel
Johannes Feulner Nicola Baiocco 4 Years Ago - Edited Nicola, I agree. HttpImpl.java is the problem. I die the following: 'git clone https://github.com/community-security-team/liferay-portal.git' 'git checkout 6.2.5-ga6' 'ant all ' fails Debugging the application that source code attached shows, that HttpImpl.java of Arun's patch is not the HttpImpl.java from my checkout. However, 'ant all' fails on my machine with the following message , so I do not know how to proceed with indentifiying the problem. @Arun: Can you figure out what the problem with HttImpl.java is or give me a hint how to reproduce your patch? Thanks, Johannes 1. ERROR in /home/johannes/scorio/liferay-portal/portal-impl/src/com/liferay/portal/jsonwebservice/JSONWebServiceActionImpl.java (at line 379) [javac] if (!ReflectUtil.isSubclass( [javac] ^^^^^^^^^^ [javac] The method isSubclass(Class<capture#61-of ?>, Class<capture#62-of ?>) is undefined for the type ReflectUtil Please sign in to reply. Reply as... Cancel Arun Das Johannes Feulner 4 Years Ago - Edited you can check this post https://liferay.dev/blogs/-/blogs/creating-liferay-security-binary-patches for building patch Please sign in to reply. Reply as... Cancel
Arun Das Johannes Feulner 4 Years Ago - Edited you can check this post https://liferay.dev/blogs/-/blogs/creating-liferay-security-binary-patches for building patch Please sign in to reply. Reply as... Cancel
Samuel Kong Johannes Feulner 4 Years Ago For those having problems with Facebook Connect on Liferay Portal 6.2. we've pushed an an additional commit to the branch that will hopefully address this issue. Johannes, thank you for letting us know about this issue. Please sign in to reply. Reply as... Cancel Johannes Feulner Samuel Kong 4 Years Ago - Edited Hi Samuel, good to hear you've addressed this issue. Where would I find that commit? I've been looking at https://github.com/liferay/liferay-portal.git branches 6.2 and 6.2.x as well as on https://github.com/community-security-team/liferay-portal.git but could not find. Johannes Please sign in to reply. Reply as... Cancel Nicola Baiocco Johannes Feulner 4 Years Ago - Edited Hi Johannes, probably is this: https://github.com/community-security-team/liferay-portal/commit/5f3601ccfbfa2eece97211bc36e4f2fbba4592ba Best regards Please sign in to reply. Reply as... Cancel Arun Das Johannes Feulner 4 Years Ago - Edited Hi, I've updated the patches here is the link https://1drv.ms/u/s!AtN9b49hmJkTiIEF8pvMBH06NMSF-w?e=NesCHg Can you help me test this? Regards, Arun Please sign in to reply. Reply as... Cancel Johannes Feulner Arun Das 4 Years Ago - Edited @Nicola: Thank you so much for showing me how to get the commit. I am definitely not a git expert. The commit works in so far, that it resolves the NPE in HttpUtil.java. However there are other bugs preventing Facebook Connect from working. @Arun: I'm happy to help with testing. Thanks to your help I could compile Liferay from source and debug ist. I think I've now identified the problems with Facebook Connect. I will continue with testing tomorrow and report my results, hopefully positive ones. Johannes Please sign in to reply. Reply as... Cancel Johannes Feulner Johannes Feulner 4 Years Ago - Edited Hi Arun, we tested 6.2.5-cumulative and created a patch to get Facebook Connect to work. The patch draws on replies to my post https://liferay.dev/forums/-/message_boards/message/87677757 and the workaround I had developed for that. The patch addresses two issues: HttpUtil calls HTTPS URLs as HTTP only; Facebook has changed the Facebook Connect API. Tests of 6.2.5-cumulative with our patch applied are all positive. We will put that version into production. If you added our patch into 6.2.5-cumulative we will gladly retest that version. Thanks for your substantial help and quick responses, Johannes ---------------------------------------------------------------------------------------------------------------------------- From aead75af36aebc5e02e37ee40fe2c415c9be7759 Mon Sep 17 00:00:00 2001 From: Johannes Feulner <johannes.feulner@scorio.com> Date: Tue, 28 Apr 2020 10:59:29 +0200 Subject: [PATCH 2/2] Fixed HTTPImpl.java for calling HTTPS URls; Fixed FacebookConnect.java for current API --- .../com/liferay/portal/facebook/FacebookConnectImpl.java | 15 ++++++++++++++- portal-impl/src/com/liferay/portal/util/HttpImpl.java | 2 +- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/portal-impl/src/com/liferay/portal/facebook/FacebookConnectImpl.java b/portal-impl/src/com/liferay/portal/facebook/FacebookConnectImpl.java index e52e418..1192a0b 100644 --- a/portal-impl/src/com/liferay/portal/facebook/FacebookConnectImpl.java +++ b/portal-impl/src/com/liferay/portal/facebook/FacebookConnectImpl.java @@ -74,6 +74,7 @@ public class FacebookConnectImpl implements FacebookConnect { String content = HttpUtil.URLtoString(options); if (Validator.isNotNull(content)) { + /* Facebook Connect API pre 2.3 int x = content.indexOf("access_token="); if (x >= 0) { @@ -84,7 +85,19 @@ public class FacebookConnectImpl implements FacebookConnect { } return content.substring(x + 13, y); - } + } */ + + /* [Oauth Access Token] Format according to Facebook + * The response format of + * https://www.facebook.com/v2.3/oauth/access_token returned + * when you exchange a code for an access_token now return + * valid JSON instead of being URL encoded. The new format + * of this response is {"access_token": {TOKEN}, + * "token_type":{TYPE}, "expires_in":{TIME}}. We made this + * update to be compliant with section 5.1 of RFC 6749. + */ + String accessToken = JSONFactoryUtil.createJSONObject(content).getString("access_token"); + return accessToken; } } catch (Exception e) { diff --git a/portal-impl/src/com/liferay/portal/util/HttpImpl.java b/portal-impl/src/com/liferay/portal/util/HttpImpl.java index 0e1c824..ad81018 100644 --- a/portal-impl/src/com/liferay/portal/util/HttpImpl.java +++ b/portal-impl/src/com/liferay/portal/util/HttpImpl.java @@ -1609,7 +1609,7 @@ public class HttpImpl implements Http { _cookies.set(null); HttpHost targetHttpHost = new HttpHost( - uri.getHost(), uri.getPort()); + uri.getHost(), uri.getPort(), uri.getScheme()); RequestConfig.Builder requestConfigBuilder = getRequestConfigBuilder(uri, timeout); -- 2.7.4 Please sign in to reply. Reply as... Cancel Arun Das Johannes Feulner 4 Years Ago - Edited Hello Johannes, Here is the link with the FB Connect update https://1drv.ms/u/s!AtN9b49hmJkTiIEGXlsboskImDsLew?e=1BWrGS Do test and let us know Regards, Arun Please sign in to reply. Reply as... Cancel Johannes Feulner Arun Das 4 Years Ago - Edited Hi Arun, I've tested your new update from https://1drv.ms/u/s!AtN9b49hmJkTiIEGXlsboskImDsLew?e=1BWrGS inlcuding FB Connect fixes and it worked fine for me at www.scorio.com running tomcat 7.0.62. Thanks again. Three things I'd like to ask/mention: 1. I've noted that https://github.com/liferay/liferay-portal.git would also need the FacebookConnect update. Just a proposal. 2. I've got the impression that your code is running faster than what I compiled myself from https://github.com/community-security-team/liferay-portal.git with JDK jdk1.7.0_80. Could there be a reason for that? 3. When clicking on "Portal Settings" from control panel page and again when clicking there on "Save" I see the following warnings in catalina.out which I do not remember to have seen before: 0:56:27,586 WARN [ajp-bio-8089-exec-15][PortalImpl:7510] Unable to impersonate 2 hiRF3/oAxXHWXpO DSiA== because the string cannot be decrypted 10:56:27,595 WARN [ajp-bio-8089-exec-11][PortalImpl:7510] Unable to impersonate 2 hiRF3/oAxXHWXpO DSiA== because the string cannot be decrypted 10:56:27,596 WARN [ajp-bio-8089-exec-5][PortalImpl:7510] Unable to impersonate 2 hiRF3/oAxXHWXpO DSiA== because the string cannot be decrypted 10:56:27,614 WARN [ajp-bio-8089-exec-11][PortalImpl:7510] Unable to impersonate 2 hiRF3/oAxXHWXpO DSiA== because the string cannot be decrypted 10:56:27,614 WARN [ajp-bio-8089-exec-5][PortalImpl:7510] Unable to impersonate 2 hiRF3/oAxXHWXpO DSiA== because the string cannot be decrypted Regards, Johannes Please sign in to reply. Reply as... Cancel Arun Das Johannes Feulner 3 Years Ago - Edited Hi Johannes, Thanks for the update. For your info, 6.2.x branch is no more updated by Liferay. I'm not sure on the 2nd item on how my code is running faster as I just clone the repo from https://github.com/community-security-team/liferay-portal.git and made the FB connect changes and compiled using jdk 1.7_80. For item 3, I noticed that Liferay already fixed in EE https://issues.liferay.com/browse/LPS-60816. Unfortunately, since its a private repo I don't have access to it. Regards, Arun Please sign in to reply. Reply as... Cancel
Johannes Feulner Samuel Kong 4 Years Ago - Edited Hi Samuel, good to hear you've addressed this issue. Where would I find that commit? I've been looking at https://github.com/liferay/liferay-portal.git branches 6.2 and 6.2.x as well as on https://github.com/community-security-team/liferay-portal.git but could not find. Johannes Please sign in to reply. Reply as... Cancel Nicola Baiocco Johannes Feulner 4 Years Ago - Edited Hi Johannes, probably is this: https://github.com/community-security-team/liferay-portal/commit/5f3601ccfbfa2eece97211bc36e4f2fbba4592ba Best regards Please sign in to reply. Reply as... Cancel Arun Das Johannes Feulner 4 Years Ago - Edited Hi, I've updated the patches here is the link https://1drv.ms/u/s!AtN9b49hmJkTiIEF8pvMBH06NMSF-w?e=NesCHg Can you help me test this? Regards, Arun Please sign in to reply. Reply as... Cancel Johannes Feulner Arun Das 4 Years Ago - Edited @Nicola: Thank you so much for showing me how to get the commit. I am definitely not a git expert. The commit works in so far, that it resolves the NPE in HttpUtil.java. However there are other bugs preventing Facebook Connect from working. @Arun: I'm happy to help with testing. Thanks to your help I could compile Liferay from source and debug ist. I think I've now identified the problems with Facebook Connect. I will continue with testing tomorrow and report my results, hopefully positive ones. Johannes Please sign in to reply. Reply as... Cancel Johannes Feulner Johannes Feulner 4 Years Ago - Edited Hi Arun, we tested 6.2.5-cumulative and created a patch to get Facebook Connect to work. The patch draws on replies to my post https://liferay.dev/forums/-/message_boards/message/87677757 and the workaround I had developed for that. The patch addresses two issues: HttpUtil calls HTTPS URLs as HTTP only; Facebook has changed the Facebook Connect API. Tests of 6.2.5-cumulative with our patch applied are all positive. We will put that version into production. If you added our patch into 6.2.5-cumulative we will gladly retest that version. Thanks for your substantial help and quick responses, Johannes ---------------------------------------------------------------------------------------------------------------------------- From aead75af36aebc5e02e37ee40fe2c415c9be7759 Mon Sep 17 00:00:00 2001 From: Johannes Feulner <johannes.feulner@scorio.com> Date: Tue, 28 Apr 2020 10:59:29 +0200 Subject: [PATCH 2/2] Fixed HTTPImpl.java for calling HTTPS URls; Fixed FacebookConnect.java for current API --- .../com/liferay/portal/facebook/FacebookConnectImpl.java | 15 ++++++++++++++- portal-impl/src/com/liferay/portal/util/HttpImpl.java | 2 +- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/portal-impl/src/com/liferay/portal/facebook/FacebookConnectImpl.java b/portal-impl/src/com/liferay/portal/facebook/FacebookConnectImpl.java index e52e418..1192a0b 100644 --- a/portal-impl/src/com/liferay/portal/facebook/FacebookConnectImpl.java +++ b/portal-impl/src/com/liferay/portal/facebook/FacebookConnectImpl.java @@ -74,6 +74,7 @@ public class FacebookConnectImpl implements FacebookConnect { String content = HttpUtil.URLtoString(options); if (Validator.isNotNull(content)) { + /* Facebook Connect API pre 2.3 int x = content.indexOf("access_token="); if (x >= 0) { @@ -84,7 +85,19 @@ public class FacebookConnectImpl implements FacebookConnect { } return content.substring(x + 13, y); - } + } */ + + /* [Oauth Access Token] Format according to Facebook + * The response format of + * https://www.facebook.com/v2.3/oauth/access_token returned + * when you exchange a code for an access_token now return + * valid JSON instead of being URL encoded. The new format + * of this response is {"access_token": {TOKEN}, + * "token_type":{TYPE}, "expires_in":{TIME}}. We made this + * update to be compliant with section 5.1 of RFC 6749. + */ + String accessToken = JSONFactoryUtil.createJSONObject(content).getString("access_token"); + return accessToken; } } catch (Exception e) { diff --git a/portal-impl/src/com/liferay/portal/util/HttpImpl.java b/portal-impl/src/com/liferay/portal/util/HttpImpl.java index 0e1c824..ad81018 100644 --- a/portal-impl/src/com/liferay/portal/util/HttpImpl.java +++ b/portal-impl/src/com/liferay/portal/util/HttpImpl.java @@ -1609,7 +1609,7 @@ public class HttpImpl implements Http { _cookies.set(null); HttpHost targetHttpHost = new HttpHost( - uri.getHost(), uri.getPort()); + uri.getHost(), uri.getPort(), uri.getScheme()); RequestConfig.Builder requestConfigBuilder = getRequestConfigBuilder(uri, timeout); -- 2.7.4 Please sign in to reply. Reply as... Cancel Arun Das Johannes Feulner 4 Years Ago - Edited Hello Johannes, Here is the link with the FB Connect update https://1drv.ms/u/s!AtN9b49hmJkTiIEGXlsboskImDsLew?e=1BWrGS Do test and let us know Regards, Arun Please sign in to reply. Reply as... Cancel Johannes Feulner Arun Das 4 Years Ago - Edited Hi Arun, I've tested your new update from https://1drv.ms/u/s!AtN9b49hmJkTiIEGXlsboskImDsLew?e=1BWrGS inlcuding FB Connect fixes and it worked fine for me at www.scorio.com running tomcat 7.0.62. Thanks again. Three things I'd like to ask/mention: 1. I've noted that https://github.com/liferay/liferay-portal.git would also need the FacebookConnect update. Just a proposal. 2. I've got the impression that your code is running faster than what I compiled myself from https://github.com/community-security-team/liferay-portal.git with JDK jdk1.7.0_80. Could there be a reason for that? 3. When clicking on "Portal Settings" from control panel page and again when clicking there on "Save" I see the following warnings in catalina.out which I do not remember to have seen before: 0:56:27,586 WARN [ajp-bio-8089-exec-15][PortalImpl:7510] Unable to impersonate 2 hiRF3/oAxXHWXpO DSiA== because the string cannot be decrypted 10:56:27,595 WARN [ajp-bio-8089-exec-11][PortalImpl:7510] Unable to impersonate 2 hiRF3/oAxXHWXpO DSiA== because the string cannot be decrypted 10:56:27,596 WARN [ajp-bio-8089-exec-5][PortalImpl:7510] Unable to impersonate 2 hiRF3/oAxXHWXpO DSiA== because the string cannot be decrypted 10:56:27,614 WARN [ajp-bio-8089-exec-11][PortalImpl:7510] Unable to impersonate 2 hiRF3/oAxXHWXpO DSiA== because the string cannot be decrypted 10:56:27,614 WARN [ajp-bio-8089-exec-5][PortalImpl:7510] Unable to impersonate 2 hiRF3/oAxXHWXpO DSiA== because the string cannot be decrypted Regards, Johannes Please sign in to reply. Reply as... Cancel Arun Das Johannes Feulner 3 Years Ago - Edited Hi Johannes, Thanks for the update. For your info, 6.2.x branch is no more updated by Liferay. I'm not sure on the 2nd item on how my code is running faster as I just clone the repo from https://github.com/community-security-team/liferay-portal.git and made the FB connect changes and compiled using jdk 1.7_80. For item 3, I noticed that Liferay already fixed in EE https://issues.liferay.com/browse/LPS-60816. Unfortunately, since its a private repo I don't have access to it. Regards, Arun Please sign in to reply. Reply as... Cancel
Nicola Baiocco Johannes Feulner 4 Years Ago - Edited Hi Johannes, probably is this: https://github.com/community-security-team/liferay-portal/commit/5f3601ccfbfa2eece97211bc36e4f2fbba4592ba Best regards Please sign in to reply. Reply as... Cancel
Arun Das Johannes Feulner 4 Years Ago - Edited Hi, I've updated the patches here is the link https://1drv.ms/u/s!AtN9b49hmJkTiIEF8pvMBH06NMSF-w?e=NesCHg Can you help me test this? Regards, Arun Please sign in to reply. Reply as... Cancel Johannes Feulner Arun Das 4 Years Ago - Edited @Nicola: Thank you so much for showing me how to get the commit. I am definitely not a git expert. The commit works in so far, that it resolves the NPE in HttpUtil.java. However there are other bugs preventing Facebook Connect from working. @Arun: I'm happy to help with testing. Thanks to your help I could compile Liferay from source and debug ist. I think I've now identified the problems with Facebook Connect. I will continue with testing tomorrow and report my results, hopefully positive ones. Johannes Please sign in to reply. Reply as... Cancel Johannes Feulner Johannes Feulner 4 Years Ago - Edited Hi Arun, we tested 6.2.5-cumulative and created a patch to get Facebook Connect to work. The patch draws on replies to my post https://liferay.dev/forums/-/message_boards/message/87677757 and the workaround I had developed for that. The patch addresses two issues: HttpUtil calls HTTPS URLs as HTTP only; Facebook has changed the Facebook Connect API. Tests of 6.2.5-cumulative with our patch applied are all positive. We will put that version into production. If you added our patch into 6.2.5-cumulative we will gladly retest that version. Thanks for your substantial help and quick responses, Johannes ---------------------------------------------------------------------------------------------------------------------------- From aead75af36aebc5e02e37ee40fe2c415c9be7759 Mon Sep 17 00:00:00 2001 From: Johannes Feulner <johannes.feulner@scorio.com> Date: Tue, 28 Apr 2020 10:59:29 +0200 Subject: [PATCH 2/2] Fixed HTTPImpl.java for calling HTTPS URls; Fixed FacebookConnect.java for current API --- .../com/liferay/portal/facebook/FacebookConnectImpl.java | 15 ++++++++++++++- portal-impl/src/com/liferay/portal/util/HttpImpl.java | 2 +- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/portal-impl/src/com/liferay/portal/facebook/FacebookConnectImpl.java b/portal-impl/src/com/liferay/portal/facebook/FacebookConnectImpl.java index e52e418..1192a0b 100644 --- a/portal-impl/src/com/liferay/portal/facebook/FacebookConnectImpl.java +++ b/portal-impl/src/com/liferay/portal/facebook/FacebookConnectImpl.java @@ -74,6 +74,7 @@ public class FacebookConnectImpl implements FacebookConnect { String content = HttpUtil.URLtoString(options); if (Validator.isNotNull(content)) { + /* Facebook Connect API pre 2.3 int x = content.indexOf("access_token="); if (x >= 0) { @@ -84,7 +85,19 @@ public class FacebookConnectImpl implements FacebookConnect { } return content.substring(x + 13, y); - } + } */ + + /* [Oauth Access Token] Format according to Facebook + * The response format of + * https://www.facebook.com/v2.3/oauth/access_token returned + * when you exchange a code for an access_token now return + * valid JSON instead of being URL encoded. The new format + * of this response is {"access_token": {TOKEN}, + * "token_type":{TYPE}, "expires_in":{TIME}}. We made this + * update to be compliant with section 5.1 of RFC 6749. + */ + String accessToken = JSONFactoryUtil.createJSONObject(content).getString("access_token"); + return accessToken; } } catch (Exception e) { diff --git a/portal-impl/src/com/liferay/portal/util/HttpImpl.java b/portal-impl/src/com/liferay/portal/util/HttpImpl.java index 0e1c824..ad81018 100644 --- a/portal-impl/src/com/liferay/portal/util/HttpImpl.java +++ b/portal-impl/src/com/liferay/portal/util/HttpImpl.java @@ -1609,7 +1609,7 @@ public class HttpImpl implements Http { _cookies.set(null); HttpHost targetHttpHost = new HttpHost( - uri.getHost(), uri.getPort()); + uri.getHost(), uri.getPort(), uri.getScheme()); RequestConfig.Builder requestConfigBuilder = getRequestConfigBuilder(uri, timeout); -- 2.7.4 Please sign in to reply. Reply as... Cancel Arun Das Johannes Feulner 4 Years Ago - Edited Hello Johannes, Here is the link with the FB Connect update https://1drv.ms/u/s!AtN9b49hmJkTiIEGXlsboskImDsLew?e=1BWrGS Do test and let us know Regards, Arun Please sign in to reply. Reply as... Cancel Johannes Feulner Arun Das 4 Years Ago - Edited Hi Arun, I've tested your new update from https://1drv.ms/u/s!AtN9b49hmJkTiIEGXlsboskImDsLew?e=1BWrGS inlcuding FB Connect fixes and it worked fine for me at www.scorio.com running tomcat 7.0.62. Thanks again. Three things I'd like to ask/mention: 1. I've noted that https://github.com/liferay/liferay-portal.git would also need the FacebookConnect update. Just a proposal. 2. I've got the impression that your code is running faster than what I compiled myself from https://github.com/community-security-team/liferay-portal.git with JDK jdk1.7.0_80. Could there be a reason for that? 3. When clicking on "Portal Settings" from control panel page and again when clicking there on "Save" I see the following warnings in catalina.out which I do not remember to have seen before: 0:56:27,586 WARN [ajp-bio-8089-exec-15][PortalImpl:7510] Unable to impersonate 2 hiRF3/oAxXHWXpO DSiA== because the string cannot be decrypted 10:56:27,595 WARN [ajp-bio-8089-exec-11][PortalImpl:7510] Unable to impersonate 2 hiRF3/oAxXHWXpO DSiA== because the string cannot be decrypted 10:56:27,596 WARN [ajp-bio-8089-exec-5][PortalImpl:7510] Unable to impersonate 2 hiRF3/oAxXHWXpO DSiA== because the string cannot be decrypted 10:56:27,614 WARN [ajp-bio-8089-exec-11][PortalImpl:7510] Unable to impersonate 2 hiRF3/oAxXHWXpO DSiA== because the string cannot be decrypted 10:56:27,614 WARN [ajp-bio-8089-exec-5][PortalImpl:7510] Unable to impersonate 2 hiRF3/oAxXHWXpO DSiA== because the string cannot be decrypted Regards, Johannes Please sign in to reply. Reply as... Cancel Arun Das Johannes Feulner 3 Years Ago - Edited Hi Johannes, Thanks for the update. For your info, 6.2.x branch is no more updated by Liferay. I'm not sure on the 2nd item on how my code is running faster as I just clone the repo from https://github.com/community-security-team/liferay-portal.git and made the FB connect changes and compiled using jdk 1.7_80. For item 3, I noticed that Liferay already fixed in EE https://issues.liferay.com/browse/LPS-60816. Unfortunately, since its a private repo I don't have access to it. Regards, Arun Please sign in to reply. Reply as... Cancel
Johannes Feulner Arun Das 4 Years Ago - Edited @Nicola: Thank you so much for showing me how to get the commit. I am definitely not a git expert. The commit works in so far, that it resolves the NPE in HttpUtil.java. However there are other bugs preventing Facebook Connect from working. @Arun: I'm happy to help with testing. Thanks to your help I could compile Liferay from source and debug ist. I think I've now identified the problems with Facebook Connect. I will continue with testing tomorrow and report my results, hopefully positive ones. Johannes Please sign in to reply. Reply as... Cancel Johannes Feulner Johannes Feulner 4 Years Ago - Edited Hi Arun, we tested 6.2.5-cumulative and created a patch to get Facebook Connect to work. The patch draws on replies to my post https://liferay.dev/forums/-/message_boards/message/87677757 and the workaround I had developed for that. The patch addresses two issues: HttpUtil calls HTTPS URLs as HTTP only; Facebook has changed the Facebook Connect API. Tests of 6.2.5-cumulative with our patch applied are all positive. We will put that version into production. If you added our patch into 6.2.5-cumulative we will gladly retest that version. Thanks for your substantial help and quick responses, Johannes ---------------------------------------------------------------------------------------------------------------------------- From aead75af36aebc5e02e37ee40fe2c415c9be7759 Mon Sep 17 00:00:00 2001 From: Johannes Feulner <johannes.feulner@scorio.com> Date: Tue, 28 Apr 2020 10:59:29 +0200 Subject: [PATCH 2/2] Fixed HTTPImpl.java for calling HTTPS URls; Fixed FacebookConnect.java for current API --- .../com/liferay/portal/facebook/FacebookConnectImpl.java | 15 ++++++++++++++- portal-impl/src/com/liferay/portal/util/HttpImpl.java | 2 +- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/portal-impl/src/com/liferay/portal/facebook/FacebookConnectImpl.java b/portal-impl/src/com/liferay/portal/facebook/FacebookConnectImpl.java index e52e418..1192a0b 100644 --- a/portal-impl/src/com/liferay/portal/facebook/FacebookConnectImpl.java +++ b/portal-impl/src/com/liferay/portal/facebook/FacebookConnectImpl.java @@ -74,6 +74,7 @@ public class FacebookConnectImpl implements FacebookConnect { String content = HttpUtil.URLtoString(options); if (Validator.isNotNull(content)) { + /* Facebook Connect API pre 2.3 int x = content.indexOf("access_token="); if (x >= 0) { @@ -84,7 +85,19 @@ public class FacebookConnectImpl implements FacebookConnect { } return content.substring(x + 13, y); - } + } */ + + /* [Oauth Access Token] Format according to Facebook + * The response format of + * https://www.facebook.com/v2.3/oauth/access_token returned + * when you exchange a code for an access_token now return + * valid JSON instead of being URL encoded. The new format + * of this response is {"access_token": {TOKEN}, + * "token_type":{TYPE}, "expires_in":{TIME}}. We made this + * update to be compliant with section 5.1 of RFC 6749. + */ + String accessToken = JSONFactoryUtil.createJSONObject(content).getString("access_token"); + return accessToken; } } catch (Exception e) { diff --git a/portal-impl/src/com/liferay/portal/util/HttpImpl.java b/portal-impl/src/com/liferay/portal/util/HttpImpl.java index 0e1c824..ad81018 100644 --- a/portal-impl/src/com/liferay/portal/util/HttpImpl.java +++ b/portal-impl/src/com/liferay/portal/util/HttpImpl.java @@ -1609,7 +1609,7 @@ public class HttpImpl implements Http { _cookies.set(null); HttpHost targetHttpHost = new HttpHost( - uri.getHost(), uri.getPort()); + uri.getHost(), uri.getPort(), uri.getScheme()); RequestConfig.Builder requestConfigBuilder = getRequestConfigBuilder(uri, timeout); -- 2.7.4 Please sign in to reply. Reply as... Cancel Arun Das Johannes Feulner 4 Years Ago - Edited Hello Johannes, Here is the link with the FB Connect update https://1drv.ms/u/s!AtN9b49hmJkTiIEGXlsboskImDsLew?e=1BWrGS Do test and let us know Regards, Arun Please sign in to reply. Reply as... Cancel Johannes Feulner Arun Das 4 Years Ago - Edited Hi Arun, I've tested your new update from https://1drv.ms/u/s!AtN9b49hmJkTiIEGXlsboskImDsLew?e=1BWrGS inlcuding FB Connect fixes and it worked fine for me at www.scorio.com running tomcat 7.0.62. Thanks again. Three things I'd like to ask/mention: 1. I've noted that https://github.com/liferay/liferay-portal.git would also need the FacebookConnect update. Just a proposal. 2. I've got the impression that your code is running faster than what I compiled myself from https://github.com/community-security-team/liferay-portal.git with JDK jdk1.7.0_80. Could there be a reason for that? 3. When clicking on "Portal Settings" from control panel page and again when clicking there on "Save" I see the following warnings in catalina.out which I do not remember to have seen before: 0:56:27,586 WARN [ajp-bio-8089-exec-15][PortalImpl:7510] Unable to impersonate 2 hiRF3/oAxXHWXpO DSiA== because the string cannot be decrypted 10:56:27,595 WARN [ajp-bio-8089-exec-11][PortalImpl:7510] Unable to impersonate 2 hiRF3/oAxXHWXpO DSiA== because the string cannot be decrypted 10:56:27,596 WARN [ajp-bio-8089-exec-5][PortalImpl:7510] Unable to impersonate 2 hiRF3/oAxXHWXpO DSiA== because the string cannot be decrypted 10:56:27,614 WARN [ajp-bio-8089-exec-11][PortalImpl:7510] Unable to impersonate 2 hiRF3/oAxXHWXpO DSiA== because the string cannot be decrypted 10:56:27,614 WARN [ajp-bio-8089-exec-5][PortalImpl:7510] Unable to impersonate 2 hiRF3/oAxXHWXpO DSiA== because the string cannot be decrypted Regards, Johannes Please sign in to reply. Reply as... Cancel Arun Das Johannes Feulner 3 Years Ago - Edited Hi Johannes, Thanks for the update. For your info, 6.2.x branch is no more updated by Liferay. I'm not sure on the 2nd item on how my code is running faster as I just clone the repo from https://github.com/community-security-team/liferay-portal.git and made the FB connect changes and compiled using jdk 1.7_80. For item 3, I noticed that Liferay already fixed in EE https://issues.liferay.com/browse/LPS-60816. Unfortunately, since its a private repo I don't have access to it. Regards, Arun Please sign in to reply. Reply as... Cancel
Johannes Feulner Johannes Feulner 4 Years Ago - Edited Hi Arun, we tested 6.2.5-cumulative and created a patch to get Facebook Connect to work. The patch draws on replies to my post https://liferay.dev/forums/-/message_boards/message/87677757 and the workaround I had developed for that. The patch addresses two issues: HttpUtil calls HTTPS URLs as HTTP only; Facebook has changed the Facebook Connect API. Tests of 6.2.5-cumulative with our patch applied are all positive. We will put that version into production. If you added our patch into 6.2.5-cumulative we will gladly retest that version. Thanks for your substantial help and quick responses, Johannes ---------------------------------------------------------------------------------------------------------------------------- From aead75af36aebc5e02e37ee40fe2c415c9be7759 Mon Sep 17 00:00:00 2001 From: Johannes Feulner <johannes.feulner@scorio.com> Date: Tue, 28 Apr 2020 10:59:29 +0200 Subject: [PATCH 2/2] Fixed HTTPImpl.java for calling HTTPS URls; Fixed FacebookConnect.java for current API --- .../com/liferay/portal/facebook/FacebookConnectImpl.java | 15 ++++++++++++++- portal-impl/src/com/liferay/portal/util/HttpImpl.java | 2 +- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/portal-impl/src/com/liferay/portal/facebook/FacebookConnectImpl.java b/portal-impl/src/com/liferay/portal/facebook/FacebookConnectImpl.java index e52e418..1192a0b 100644 --- a/portal-impl/src/com/liferay/portal/facebook/FacebookConnectImpl.java +++ b/portal-impl/src/com/liferay/portal/facebook/FacebookConnectImpl.java @@ -74,6 +74,7 @@ public class FacebookConnectImpl implements FacebookConnect { String content = HttpUtil.URLtoString(options); if (Validator.isNotNull(content)) { + /* Facebook Connect API pre 2.3 int x = content.indexOf("access_token="); if (x >= 0) { @@ -84,7 +85,19 @@ public class FacebookConnectImpl implements FacebookConnect { } return content.substring(x + 13, y); - } + } */ + + /* [Oauth Access Token] Format according to Facebook + * The response format of + * https://www.facebook.com/v2.3/oauth/access_token returned + * when you exchange a code for an access_token now return + * valid JSON instead of being URL encoded. The new format + * of this response is {"access_token": {TOKEN}, + * "token_type":{TYPE}, "expires_in":{TIME}}. We made this + * update to be compliant with section 5.1 of RFC 6749. + */ + String accessToken = JSONFactoryUtil.createJSONObject(content).getString("access_token"); + return accessToken; } } catch (Exception e) { diff --git a/portal-impl/src/com/liferay/portal/util/HttpImpl.java b/portal-impl/src/com/liferay/portal/util/HttpImpl.java index 0e1c824..ad81018 100644 --- a/portal-impl/src/com/liferay/portal/util/HttpImpl.java +++ b/portal-impl/src/com/liferay/portal/util/HttpImpl.java @@ -1609,7 +1609,7 @@ public class HttpImpl implements Http { _cookies.set(null); HttpHost targetHttpHost = new HttpHost( - uri.getHost(), uri.getPort()); + uri.getHost(), uri.getPort(), uri.getScheme()); RequestConfig.Builder requestConfigBuilder = getRequestConfigBuilder(uri, timeout); -- 2.7.4 Please sign in to reply. Reply as... Cancel Arun Das Johannes Feulner 4 Years Ago - Edited Hello Johannes, Here is the link with the FB Connect update https://1drv.ms/u/s!AtN9b49hmJkTiIEGXlsboskImDsLew?e=1BWrGS Do test and let us know Regards, Arun Please sign in to reply. Reply as... Cancel Johannes Feulner Arun Das 4 Years Ago - Edited Hi Arun, I've tested your new update from https://1drv.ms/u/s!AtN9b49hmJkTiIEGXlsboskImDsLew?e=1BWrGS inlcuding FB Connect fixes and it worked fine for me at www.scorio.com running tomcat 7.0.62. Thanks again. Three things I'd like to ask/mention: 1. I've noted that https://github.com/liferay/liferay-portal.git would also need the FacebookConnect update. Just a proposal. 2. I've got the impression that your code is running faster than what I compiled myself from https://github.com/community-security-team/liferay-portal.git with JDK jdk1.7.0_80. Could there be a reason for that? 3. When clicking on "Portal Settings" from control panel page and again when clicking there on "Save" I see the following warnings in catalina.out which I do not remember to have seen before: 0:56:27,586 WARN [ajp-bio-8089-exec-15][PortalImpl:7510] Unable to impersonate 2 hiRF3/oAxXHWXpO DSiA== because the string cannot be decrypted 10:56:27,595 WARN [ajp-bio-8089-exec-11][PortalImpl:7510] Unable to impersonate 2 hiRF3/oAxXHWXpO DSiA== because the string cannot be decrypted 10:56:27,596 WARN [ajp-bio-8089-exec-5][PortalImpl:7510] Unable to impersonate 2 hiRF3/oAxXHWXpO DSiA== because the string cannot be decrypted 10:56:27,614 WARN [ajp-bio-8089-exec-11][PortalImpl:7510] Unable to impersonate 2 hiRF3/oAxXHWXpO DSiA== because the string cannot be decrypted 10:56:27,614 WARN [ajp-bio-8089-exec-5][PortalImpl:7510] Unable to impersonate 2 hiRF3/oAxXHWXpO DSiA== because the string cannot be decrypted Regards, Johannes Please sign in to reply. Reply as... Cancel Arun Das Johannes Feulner 3 Years Ago - Edited Hi Johannes, Thanks for the update. For your info, 6.2.x branch is no more updated by Liferay. I'm not sure on the 2nd item on how my code is running faster as I just clone the repo from https://github.com/community-security-team/liferay-portal.git and made the FB connect changes and compiled using jdk 1.7_80. For item 3, I noticed that Liferay already fixed in EE https://issues.liferay.com/browse/LPS-60816. Unfortunately, since its a private repo I don't have access to it. Regards, Arun Please sign in to reply. Reply as... Cancel
Arun Das Johannes Feulner 4 Years Ago - Edited Hello Johannes, Here is the link with the FB Connect update https://1drv.ms/u/s!AtN9b49hmJkTiIEGXlsboskImDsLew?e=1BWrGS Do test and let us know Regards, Arun Please sign in to reply. Reply as... Cancel Johannes Feulner Arun Das 4 Years Ago - Edited Hi Arun, I've tested your new update from https://1drv.ms/u/s!AtN9b49hmJkTiIEGXlsboskImDsLew?e=1BWrGS inlcuding FB Connect fixes and it worked fine for me at www.scorio.com running tomcat 7.0.62. Thanks again. Three things I'd like to ask/mention: 1. I've noted that https://github.com/liferay/liferay-portal.git would also need the FacebookConnect update. Just a proposal. 2. I've got the impression that your code is running faster than what I compiled myself from https://github.com/community-security-team/liferay-portal.git with JDK jdk1.7.0_80. Could there be a reason for that? 3. When clicking on "Portal Settings" from control panel page and again when clicking there on "Save" I see the following warnings in catalina.out which I do not remember to have seen before: 0:56:27,586 WARN [ajp-bio-8089-exec-15][PortalImpl:7510] Unable to impersonate 2 hiRF3/oAxXHWXpO DSiA== because the string cannot be decrypted 10:56:27,595 WARN [ajp-bio-8089-exec-11][PortalImpl:7510] Unable to impersonate 2 hiRF3/oAxXHWXpO DSiA== because the string cannot be decrypted 10:56:27,596 WARN [ajp-bio-8089-exec-5][PortalImpl:7510] Unable to impersonate 2 hiRF3/oAxXHWXpO DSiA== because the string cannot be decrypted 10:56:27,614 WARN [ajp-bio-8089-exec-11][PortalImpl:7510] Unable to impersonate 2 hiRF3/oAxXHWXpO DSiA== because the string cannot be decrypted 10:56:27,614 WARN [ajp-bio-8089-exec-5][PortalImpl:7510] Unable to impersonate 2 hiRF3/oAxXHWXpO DSiA== because the string cannot be decrypted Regards, Johannes Please sign in to reply. Reply as... Cancel Arun Das Johannes Feulner 3 Years Ago - Edited Hi Johannes, Thanks for the update. For your info, 6.2.x branch is no more updated by Liferay. I'm not sure on the 2nd item on how my code is running faster as I just clone the repo from https://github.com/community-security-team/liferay-portal.git and made the FB connect changes and compiled using jdk 1.7_80. For item 3, I noticed that Liferay already fixed in EE https://issues.liferay.com/browse/LPS-60816. Unfortunately, since its a private repo I don't have access to it. Regards, Arun Please sign in to reply. Reply as... Cancel
Johannes Feulner Arun Das 4 Years Ago - Edited Hi Arun, I've tested your new update from https://1drv.ms/u/s!AtN9b49hmJkTiIEGXlsboskImDsLew?e=1BWrGS inlcuding FB Connect fixes and it worked fine for me at www.scorio.com running tomcat 7.0.62. Thanks again. Three things I'd like to ask/mention: 1. I've noted that https://github.com/liferay/liferay-portal.git would also need the FacebookConnect update. Just a proposal. 2. I've got the impression that your code is running faster than what I compiled myself from https://github.com/community-security-team/liferay-portal.git with JDK jdk1.7.0_80. Could there be a reason for that? 3. When clicking on "Portal Settings" from control panel page and again when clicking there on "Save" I see the following warnings in catalina.out which I do not remember to have seen before: 0:56:27,586 WARN [ajp-bio-8089-exec-15][PortalImpl:7510] Unable to impersonate 2 hiRF3/oAxXHWXpO DSiA== because the string cannot be decrypted 10:56:27,595 WARN [ajp-bio-8089-exec-11][PortalImpl:7510] Unable to impersonate 2 hiRF3/oAxXHWXpO DSiA== because the string cannot be decrypted 10:56:27,596 WARN [ajp-bio-8089-exec-5][PortalImpl:7510] Unable to impersonate 2 hiRF3/oAxXHWXpO DSiA== because the string cannot be decrypted 10:56:27,614 WARN [ajp-bio-8089-exec-11][PortalImpl:7510] Unable to impersonate 2 hiRF3/oAxXHWXpO DSiA== because the string cannot be decrypted 10:56:27,614 WARN [ajp-bio-8089-exec-5][PortalImpl:7510] Unable to impersonate 2 hiRF3/oAxXHWXpO DSiA== because the string cannot be decrypted Regards, Johannes Please sign in to reply. Reply as... Cancel Arun Das Johannes Feulner 3 Years Ago - Edited Hi Johannes, Thanks for the update. For your info, 6.2.x branch is no more updated by Liferay. I'm not sure on the 2nd item on how my code is running faster as I just clone the repo from https://github.com/community-security-team/liferay-portal.git and made the FB connect changes and compiled using jdk 1.7_80. For item 3, I noticed that Liferay already fixed in EE https://issues.liferay.com/browse/LPS-60816. Unfortunately, since its a private repo I don't have access to it. Regards, Arun Please sign in to reply. Reply as... Cancel
Arun Das Johannes Feulner 3 Years Ago - Edited Hi Johannes, Thanks for the update. For your info, 6.2.x branch is no more updated by Liferay. I'm not sure on the 2nd item on how my code is running faster as I just clone the repo from https://github.com/community-security-team/liferay-portal.git and made the FB connect changes and compiled using jdk 1.7_80. For item 3, I noticed that Liferay already fixed in EE https://issues.liferay.com/browse/LPS-60816. Unfortunately, since its a private repo I don't have access to it. Regards, Arun Please sign in to reply. Reply as... Cancel
Caleb Hamilton Arun Das 3 Years Ago - Edited Hi Arun, I am running the Liferay-tomcat fix you provided. I notice a bug on the page Server Administration. This bug I have found running Liferay-6.2-ce-ga6 on Tomcat more recent than 7.0.62. Have you found an issue with the page, and do you know how to solve for it? Cheers, Caleb Please sign in to reply. Reply as... Cancel Arun Das Caleb Hamilton 3 Years Ago - Edited Hi Caleb, Are you referring to the following issue "The code of method _jspService(HttpServletRequest, HttpServletResponse) is exceeding the 65535 bytes limit" Here is the ticket related to this https://issues.liferay.com/browse/LPS-70778 Since, that's a private repo I couldn't really get that fix. But, a workaround was also mentioned there which is to replace tomcat-7.0.xx/lib/jasper.jar with an older version of jasper.jar from tomcat-7.0.62 Hope this helps Regards, Arun Please sign in to reply. Reply as... Cancel Caleb Hamilton Arun Das 3 Years Ago - Edited Hi Arun, Swapping out the library tomcat/lib/jasper.jar on tomcat-7.0.103 for that from Tomcat-7.0.62 seems to have done the job. Thanks, Caleb Please sign in to reply. Reply as... Cancel
Arun Das Caleb Hamilton 3 Years Ago - Edited Hi Caleb, Are you referring to the following issue "The code of method _jspService(HttpServletRequest, HttpServletResponse) is exceeding the 65535 bytes limit" Here is the ticket related to this https://issues.liferay.com/browse/LPS-70778 Since, that's a private repo I couldn't really get that fix. But, a workaround was also mentioned there which is to replace tomcat-7.0.xx/lib/jasper.jar with an older version of jasper.jar from tomcat-7.0.62 Hope this helps Regards, Arun Please sign in to reply. Reply as... Cancel Caleb Hamilton Arun Das 3 Years Ago - Edited Hi Arun, Swapping out the library tomcat/lib/jasper.jar on tomcat-7.0.103 for that from Tomcat-7.0.62 seems to have done the job. Thanks, Caleb Please sign in to reply. Reply as... Cancel
Caleb Hamilton Arun Das 3 Years Ago - Edited Hi Arun, Swapping out the library tomcat/lib/jasper.jar on tomcat-7.0.103 for that from Tomcat-7.0.62 seems to have done the job. Thanks, Caleb Please sign in to reply. Reply as... Cancel
Dave . 4 Years Ago - Edited Hi Samuel, thank you for the source patch. I have compiled a build from https://github.com/community-security-team/liferay-portal/tree/6.2.5-cumulative and using jboss-7.1.1, jdk1.7.0_80, ant-1.9.13. May you check the compiled patch? You can find it here https://drive.google.com/file/d/1ffpu2VpIH183Zem-XZ9iaJXjai-wenLN/view?usp=sharing I have installed it on my server and it's seems works. Is there a way to view the version of the patch installed in the liferay control panel? Thanks a lot, Dave Please sign in to reply. Reply as... Cancel Wu Yuxing Dave . 3 Years Ago Hi Dave, There is no way to view the version of the patch installed in the liferay control panel. Please sign in to reply. Reply as... Cancel
Wu Yuxing Dave . 3 Years Ago Hi Dave, There is no way to view the version of the patch installed in the liferay control panel. Please sign in to reply. Reply as... Cancel
Gordon Augat 4 Years Ago - Edited I get the following exception when processing a velocity template. Any ideas? Caused by: java.lang.IllegalArgumentException: Denied resolving class java.lang.Class by java.lang.Class at com.liferay.portal.velocity.LiferaySecureUberspector._checkClassIsRestricted(LiferaySecureUberspector.java:108) at com.liferay.portal.velocity.LiferaySecureUberspector.access$0(LiferaySecureUberspector.java:100) at com.liferay.portal.velocity.LiferaySecureUberspector$LiferaySecureIntrospectorImpl.checkObjectExecutePermission(LiferaySecureUberspector.java:201) at org.apache.velocity.util.introspection.SecureIntrospectorImpl.getMethod(SecureIntrospectorImpl.java:64) at org.apache.velocity.util.introspection.UberspectImpl.getMethod(UberspectImpl.java:193) at org.apache.velocity.runtime.parser.node.ASTMethod.execute(ASTMethod.java:192) at org.apache.velocity.runtime.parser.node.ASTReference.execute(ASTReference.java:262) at org.apache.velocity.runtime.parser.node.ASTReference.value(ASTReference.java:507) at org.apache.velocity.runtime.parser.node.ASTMethod.execute(ASTMethod.java:155) at org.apache.velocity.runtime.parser.node.ASTReference.execute(ASTReference.java:262) at org.apache.velocity.runtime.parser.node.ASTReference.render(ASTReference.java:342) at org.apache.velocity.runtime.parser.node.SimpleNode.render(SimpleNode.java:336) at org.apache.velocity.Template.merge(Template.java:328) at org.apache.velocity.Template.merge(Template.java:235) at com.liferay.portal.velocity.VelocityTemplate.processTemplate(VelocityTemplate.java:112) at com.liferay.portal.template.AbstractTemplate.processTemplate(AbstractTemplate.java:108) Please sign in to reply. Reply as... Cancel Dominik Marks Gordon Augat 3 Years Ago - Edited You have to check the restricted classes in the Velocity Engine configuration. The patches define new default values here, so resolving "java.lang.Class" is not allowed by default, so you have to remove "java.lang.Class" from the restricted classes in the configuration. Please sign in to reply. Reply as... Cancel
Dominik Marks Gordon Augat 3 Years Ago - Edited You have to check the restricted classes in the Velocity Engine configuration. The patches define new default values here, so resolving "java.lang.Class" is not allowed by default, so you have to remove "java.lang.Class" from the restricted classes in the configuration. Please sign in to reply. Reply as... Cancel
Ali Mroué 3 Years Ago - Edited Hello, Do you have any binary patch available for 7.0 ga7 Please sign in to reply. Reply as... Cancel Dominik Marks Ali Mroué 3 Years Ago - Edited yes, see my blog post :-) https://liferay.dev/blogs/-/blogs/creating-liferay-security-binary-patches Binary patches are linked in the comments. Please sign in to reply. Reply as... Cancel
Dominik Marks Ali Mroué 3 Years Ago - Edited yes, see my blog post :-) https://liferay.dev/blogs/-/blogs/creating-liferay-security-binary-patches Binary patches are linked in the comments. Please sign in to reply. Reply as... Cancel