Forums

Home » Liferay Portal » English » 3. Development

Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
Espen Olsen
Getting the Authentication token (p_auth) from a client side javascript app
September 13, 2013 3:36 AM
Answer

Espen Olsen

Rank: New Member

Posts: 1

Join Date: May 29, 2013

Recent Posts

I'm creating a javascript application that needs to access Liferay's jsonws API.

The user will be authenticated through an SSO solution, but I'm unsure about how I get can get the authentication token in order to make calls back to the server from javascript.

Is it possible to retrieve this value from the cookie somehow on the client side?
Vilmos Papp
RE: Getting the Authentication token (p_auth) from a client side javascript
September 13, 2013 7:00 AM
Answer

Vilmos Papp

LIFERAY STAFF

Rank: Liferay Master

Posts: 521

Join Date: October 21, 2010

Recent Posts

Hi,

I think if you use our JS API to create the URL then it should contain the necessary parameters.

Regard,
Vilmos
Tomas Polesovsky
RE: Getting the Authentication token (p_auth) from a client side javascript
September 13, 2013 9:16 AM
Answer

Tomas Polesovsky

LIFERAY STAFF

Rank: Liferay Master

Posts: 644

Join Date: February 13, 2009

Recent Posts

Hi Karl,

I understand that your application won't run in portal, it's a separate application on separate domain.

Liferay use p_auth to prevent exactly this kind of calls emoticon Don't understand it wrong, it's a security risk to allow to call JSON WS API from outside the portal with user cookies, it's called CSRF attack.

I'd try to use CORS to get p_auth safely for your application.

Simple example how to get p_auth token using CORS. Save this JSP into portal installation as tomcat/webapps/ROOT/p_auth_token_using_cors.jsp:
 1<%
 2String allowedOrigin = "http://your-server.com";
 3String allowedReferer = "http://your-server.com/your-app/";
 4String origin = request.getHeader("Origin");
 5String referer = request.getHeader("Referer");
 6
 7if(allowedOrigin.equals(origin) && (referer != null) && referer.startsWith(allowedReferer)) {
 8    response.setHeader("Access-Control-Allow-Origin", allowedOrigin);
 9    out.println(com.liferay.portal.security.auth.AuthTokenUtil.getToken(request));
10}
11%>


Then create CORS AJAX call to http://portal/p_auth_token_using_cors.jsp to get the p_auth token. Don't forget to change allowedOrigin & allowedReferer to the correct values of your application.

HTH.
Mohammad Azharuddin
RE: Getting the Authentication token (p_auth) from a client side javascript
October 31, 2013 3:51 AM
Answer

Mohammad Azharuddin

Rank: Expert

Posts: 474

Join Date: September 17, 2012

Recent Posts

Hi Tomáš Polešovský

Does auth.token.ignore.actions property applicable for javax.portlet.action too .Because it is mentioned that it will ignore struts action...How about MVC portlet......?
Tomas Polesovsky
RE: Getting the Authentication token (p_auth) from a client side javascript
October 31, 2013 3:57 AM
Answer

Tomas Polesovsky

LIFERAY STAFF

Rank: Liferay Master

Posts: 644

Join Date: February 13, 2009

Recent Posts

Hi mohammad azaruddin

only "struts_action" portlet request param is checked against auth.token.ignore.actions.
Mohammad Azharuddin
RE: Getting the Authentication token (p_auth) from a client side javascript
October 31, 2013 6:11 AM
Answer

Mohammad Azharuddin

Rank: Expert

Posts: 474

Join Date: September 17, 2012

Recent Posts

Thank you....
I had to disable security check for entire portlet via portlet.xml...Hope this is the only option i got....


My requirnment is to send an actionUrl to remote user via e-mail and upon clicking on that link he can directly land on action class of that portlet.
Tomas Polesovsky
RE: Getting the Authentication token (p_auth) from a client side javascript
November 4, 2013 3:23 AM
Answer

Tomas Polesovsky

LIFERAY STAFF

Rank: Liferay Master

Posts: 644

Join Date: February 13, 2009

Recent Posts

This is the only option for portlets that doesn't extend Liferay's MVC/Struts portlets.

Does the portlet has also other actions?

Are safe against CSRF?. By safe I mean that an attacker cannot change anything on behalf of user or the changes require some form of "secret" to be sent, instead of the token.

If the portlet has other actions and they can cause a harm, it's better to isolate your whitelisted action into a new portlet.
Mohammad Azharuddin
RE: Getting the Authentication token (p_auth) from a client side javascript
November 4, 2013 9:07 PM
Answer

Mohammad Azharuddin

Rank: Expert

Posts: 474

Join Date: September 17, 2012

Recent Posts

HI
thank you.emoticonemoticonyeah i isolate whitelisted action into a new portlet.emoticonemoticonemoticon
Mohammad Azharuddin
RE: Getting the Authentication token (p_auth) from a client side javascript
November 4, 2013 9:13 PM
Answer

Mohammad Azharuddin

Rank: Expert

Posts: 474

Join Date: September 17, 2012

Recent Posts

Tomáš Polešovský:
This is the only option for portlets that doesn't extend Liferay's MVC/Struts portlets.



And i extend com.liferay.util.bridges.mvc.MVCPortlet
Tomas Polesovsky
RE: Getting the Authentication token (p_auth) from a client side javascript
November 5, 2013 4:45 AM
Answer

Tomas Polesovsky

LIFERAY STAFF

Rank: Liferay Master

Posts: 644

Join Date: February 13, 2009

Recent Posts

mohammad azaruddin:
Tomáš Polešovský:
This is the only option for portlets that doesn't extend Liferay's MVC/Struts portlets.



And i extend com.liferay.util.bridges.mvc.MVCPortlet


Aah, I'm sorry, a mistake emoticon MVC portlet doesn't use struts actions. So only StrutsPortlet counts emoticon

yeah i isolate whitelisted action into a new portlet.


Good! emoticon