After a user performs a login using the portal LoginPortlet the login does not succeed and a WARN was printed to the log:
User 0 is not allowed to access URL http://localhost:8080/web/guest/login and portlet com_liferay_login_web_portlet_LoginPortlet: User 0 did not provide a valid CSRF token for com.liferay.portlet.SecurityPortletContainerWrapper
After a second login afterwards, the login was ok. The issues only occurs if the login page was opened some minutes and the auth token gets invalidated. This is basically fine, but the portal config portlet.add.default.resource.check.whitelist has an exclude for LoginPortlet. But this whitelist seems not avoid the unwanted check. Are there any other places how the avoid CSRF checking for LoginPortlet?
I could not reproduce this issue, I used this server for testing:
Liferay Community Edition Portal 7.3.5 CE GA6
Here are my steps, please let me know what I should change to experience the issue:
I extracted this zip file to my ubuntu linux pc:
liferay-ce-portal-tomcat-7.3.5-ga6-20200930172312275.tar.gz
Started the server and completed the 1st time setup
I re-started the server and visited localhost:8080 in an Opera browser
Waited 7 minutes
I clicked on "Sign in" in the upper right corner
Waited again 5 minutes
I entered my credentials
Results:
I could log on successfully, there were no errors about CSRF
A couple of suggestions:
A. Do a search for CSRF in:
https://github.com/liferay/liferay-portal/blob/master/portal-impl/src/portal.properties
and see if you can find a property that solves your issue
Such properties can be:
auth.token.impl=com.liferay.portal.security.auth.SessionAuthToken
auth.token.check.enabled=false
auth.token.ignore.origins
B. Maybe you can try to set up something like this in your portal-ext.properties:
portlet.add.default.resource.check.whitelist.actions=/login/login
C. You can do a search in Liferay Jira, for example this ticket talks about something similar:
https://issues.liferay.com/browse/LPS-129976
Related
I didn't have any problems before with signin into ms account, but now I can't get access to any account (to my account and even to new accounts) from any browser on my pc (but can signin from other pc, so, I know for sure - my account is active and havn't been blocked).
How it works (or, actually, doesn't):
1. Open https://azure.microsoft.com/en-us/services/devops/
2. click on "Sign in to Azure DevOps"
3. enter email and press enter
4. after few seconds and few requests (and few redirects), browser shows signin page again
OR:
1. Open https://portal.azure.com
2. enter email and press enter
3. after few seconds and few requests (and few redirects), I retrieve page "Sign-in failed. Sorry, we had some trouble signing you in, Click 'Try again' to try again."
Other details:
OS: Windows (maybe it happend after latest windows update, I'm not sure)
No installed antivirus or security software (just windows defender)
Browsers: Chrome, Edge on chromium, Firefox, Opera
It happened one week ago, and I still can't signin
There is no failed responses (4xx or 5xx), and no errors in console, so I really dont know how to fix it, maybe someone can help me with this problem
Importang thing: If I change network from my home wifi to another, I can signin there, so problem somewhere in wifi/router
Check to see what's under Credential Manager and, if the account is there, clear it out.
To go there, simply open Start and type credential manager.
You should be good to go.
We have a web app that used to be authenticated through forms and we changed it to use oauth with azure ad. Some users save links to different pages in the app in excel files. The problem is that since we changed the authentication we get an error when an excel link is clicked : "Microsoft.IdentityModel.Protocols.OpenIdConnectProtocolInvalidNonceException
IDX10311: RequireNonce is 'true' (default) but validationContext.Nonce is null. A nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'."
I tried adding the OPTIONS and PROPFIND verb to requestFiltering but no luck...
Installing the fix from this page :Microsoft support
fixed the problem. We are also looking into changing the SSO cookie policy because we don't want to have every user installing the fix if is not necessary.
Updated 2018.01.18
We updated the OS in the company to windows 10 and the issues reappeared. Implementing this code seems to fix the problem: https://github.com/aspnet/AspNetKatana/issues/78
I'm having problems trying to configure HOTP in openam10. I have configured Adaptive Risk Module and when the login attemp score is low the HOTP login form appears, everything is right by now, but when the use press the "Request OTP code" button nothing happens, no email is received, no error messages in openam logs, ...
Is there any known problem with this feature?
Thanks in advance.
I've never tried HOTP with OpenAM 10 but it works fine with 11. First take a look at the documentation if you haven't done so already.
You can also set the OpenAM server in debug mode to collect more information by going to Configuration > Servers and Sites > SERVER_NAME > General > Debugging and setting the "Debug level" to "message" (A server restart might be required). Then, go through the login process one more time and take a look at the following debug files: Authentication and CoreSystem. You can search for this string: "HTOP:process()", which maps to the auth module entry point, and post the details here.
Hope this helps.
I am getting an error saying I am not logged in to the server when attempting to submit my vehicle to the http://challenge-na.coderallycloud.com contest server. When I bring up the server list it shows that I am Online and logged in using my userid.
When I test the connection it is successful.
Unable to submit vehicle (after 10-15 minutes)
Unable to enter ChrisHanksCarOne on NA Contest Service
You need to login to the server before continuing to race. In the Code Rally Developer View choose the server list, right-click on the server and click login.
Sounds like the OAuth login hasn't worked properly, and the Eclipse plugin hasn't detected that. To fix log out from the server and login again (you can do this from the servers window or through the bottom of the enter race window). You should be asked to authenticate with Google, Facebook or Twitter - use the account you registered with on InfoQ and it should work (if not let me know and I can look into it further).
A changed Windows authentication to Forms authentication. Using the following example.
I added a user with Web Site Administration Tool. Finally I added this user as Site Collection Administrators and the user is recognized by SharePoint. Happy with that is started my WSS site in the browser but when I try to Sign in using this sign in form it is not working. Returns to this form after the submit (//spvm:100/_layouts/login.aspx?ReturnUrl=%2f_layouts%2fAuthenticate.aspx%3fSource%3d%252f&Source=%2f)
I have been scanning my Eventviewer but no succes for any comment what tells me what I am doing wrong. Maybe some of you guys can help me out?
Once you are redirected to this page, try navigating to http://spvm:100. Sometime I get this kind of case where I move make to the root, then it works. I really didnt know the reason why sometime it behaves like that.
I had the same issue. I found that something was wrong with my browser's settings. I tried to log in with another browser (Firefox) and that worked for me.
I don't know yet what was wrong with my IE7's settings, on another machine I could log in to a forms auth site without any problem.