Mitigating Portlet Security Vulnerabilities

Portlets are vulnerable to code injection attacks, which occur when malicious code is inserted into known or trustworthy web sites. An attacker can construct a URL to invoke actions even if there are no portlet action links in the page.

The malicious attacker uses the URL to invoke any of the public, zero-argument methods on any of the portlet's managed beans with a binding expression in the URL's targetAction parameter. You can mitigate this portlet security vulnerability by enabling annotated portlet actions.

In Composite Application Framework (CAF), you can use annotated portlet actions in the Extended Portlet Url control. When the user clicks the Extended Portlet Url link, the action request performs the action named in the targetAction property of the Extended Portlet Url control.

When you add a control that uses the Extended Portlet Url control to a view, set the Type property to action to make the link an action request that invokes the targetAction when loaded. The Anti-XSRF Token property instructs the portlet container to check for a valid axsrft token before allowing the target action to run. You must add the @PortletAction annotation and define the targetAction in the source code providing the methods to fulfill the action request.

This approach enables you to limit actions that are callable using the portlet URL to a fixed set of methods that you specify. Configure the portlet to limit portlet URL actions to those methods on the portlet's preferences bean or active page bean that have been annotated with the @PortletAction annotation.

The following example demonstrates a portion of the portlet.xml file with the annotated portlet actions init-param tags. CAF generates the init-param for the ANNOTATED_PORTLET_ACTIONS when the portlet is created.

<portlet>
<portlet-name>My_company_portlet</portlet-name>
<portlet-class>com.webmethods.caf.faces.portlet.FacesPortlet</portlet-class>
<init-param>
<name>com.webmethods.caf.faces.portlet.INIT_VIEW</ name>
<valu e>/My_company_portlet/default.view</value>
</init-param>
<init-param>
<name>ANNOTATED_PORTLET_ACTIONS</name >
<value>true</value>
</init-param>
:
:
</portlet>

New portlets created in CAF automatically have the init-param added. For portlet applications created in older versions of CAF, be sure to check for the use of annotated portlet actions. You may have to manually add the init-param to the portlet.xml file.

Add the Extended Portlet Url control to a Portlet Simple Link or Portlet Url Script. For more information, see the CAF Tag Library reference documentation for the Extended Portlet URL, Portlet Simple Link, and the Portlet URL Script controls. Do not use binding expressions when defining the portlet targetAction property, instead use a simple method name, such as SayHelloWorld.

When annotated portlet actions are enabled, the action handler source code from a portlet action link must contain the @PortletAction annotation. The following code snippet shows the @PortletAction annotation.

@PortletAction
public String doSayHello() {
error(FacesMessage.SEVERITY_INFO, "Hello, the 'doSayHello' portlet action
was executed", null);
return OUTCOME_OK;
}

You can enable or disable the axsrft token for specific action methods. The following example shows the axsft token and how it applies to the @PortletAction.

@PortletAction(axsrft = true)
public String doSayHelloWithAxsrftRequired() {
error(FacesMessage.SEVERITY_INFO, "Hello, the
'doSayHelloWithAxsrftRequired' portlet action was executed", null);
return OUTCOME_OK;
}

When annotated portlet actions are disabled, you can invoke the action method from the portlet action link with a full binding expression. For more information about binding expressions, see About the Bindings View.