Forums

Home » Liferay Portal » English » 3. Development

Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
H Meyer
Auth Token for ajax calls (prevent CSRF)
June 11, 2014 7:23 AM
Answer

H Meyer

Rank: New Member

Posts: 5

Join Date: March 3, 2014

Recent Posts

Hi,
i found this topic about the authentication token for "normal" request (with page reload):
https://www.liferay.com/en/community/wiki/-/wiki/Main/Authentication+Token

Can this also be configured for ajax calls?
Init of the serveResource URL:
1var globalResourceUrl = '<%= ajaxValidateURL.toString() %>';


a possible ajax call:
1       
2$.ajax({type: "POST",
3   url: globalResourceUrl,
4   data: { cmd: "validateURL", feedURL : urlValue}
5}).done(function( data ) {
6...
7}

I checked the ajax url and there was no p_auth or p_p_auth parameter in the url. But I also checked a "normal" request (with page reload), there was automatically a p_p_auth token in the URL.
Do I have to code this on my own? Have anybody some suggestions / URLs to help me?

Thanks in advance.
Tomas Polesovsky
RE: Auth Token for ajax calls (prevent CSRF)
June 11, 2014 9:27 AM
Answer

Tomas Polesovsky

LIFERAY STAFF

Rank: Liferay Master

Posts: 653

Join Date: February 13, 2009

Recent Posts

Hi,

I checked the ajax url and there was no p_auth or p_p_auth parameter in the url. But I also checked a "normal" request (with page reload), there was automatically a p_p_auth token in the URL.

The token you see (p_p_auth) is a different one.

Can this also be configured for ajax calls?
Init of the serveResource URL:


Resource serving requests are not checked for CSRF token currently and there is no portal-wide configuration for it.

You can implement the check by yourself, example:
 1
 2public void serveResource(ResourceRequest resourceRequest, ResourceResponse resourceResponse) throws IOException, PortletException {
 3    HttpServletRequest request = PortalUtil.getOriginalServletRequest(PortalUtil.getHttpServletRequest(resourceRequest));
 4
 5    try {
 6        // Liferay 6.2:
 7        AuthTokenUtil.checkCSRFToken(request, this.getClass().getName());
 8        // Liferay 6.1:
 9        // AuthTokenUtil.check(request);
10    } catch (Exception e) {
11        throw new PortletException("Invalid CSRF token!", e);
12    }
13
14    //... your code continues here
15}


With this check you need to add the p_auth into the Ajax call, for example:
 1$.ajax({type: "POST",
 2   url: globalResourceUrl,
 3   data: {
 4      cmd: "validateURL",
 5      feedURL : urlValue,
 6      p_auth: Liferay.authToken
 7   }
 8}).done(function( data ) {
 9...
10}


HTH
H Meyer
RE: Auth Token for ajax calls (prevent CSRF)
June 12, 2014 1:51 AM
Answer

H Meyer

Rank: New Member

Posts: 5

Join Date: March 3, 2014

Recent Posts

Thanks for your help, but it is still not working. Sorry for the missing details, we are using liferay 6.1 enterprise edition.
I tried your code and get the following error:
 1com.liferay.portal.security.auth.PrincipalException: Invalid authentication token
 2    at com.liferay.portal.security.auth.SessionAuthToken.check(SessionAuthToken.java:61)
 3    at com.liferay.portal.security.auth.AuthTokenWrapper.check(AuthTokenWrapper.java:32)
 4    at com.liferay.portal.security.auth.AuthTokenUtil.check(AuthTokenUtil.java:30)
 5    at com.volkswagenag.mod.carnet.news.action.NewsPortlet.serveResource(NewsPortlet.java:77)
 6    at com.liferay.portlet.FilterChainImpl.doFilter(FilterChainImpl.java:118)
 7    at com.liferay.portal.kernel.portlet.PortletFilterUtil.doFilter(PortletFilterUtil.java:71)
 8    at com.liferay.portal.kernel.servlet.PortletServlet.service(PortletServlet.java:111)
 9    at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)...


We found out that after this method call PortalUtil.getHttpServletRequest(req) the token id is still correct. But after we call PortalUtil.getOriginalServletRequest(..) the token id will change. And then in the class SessionAuthToken.java in the check method the requestAuthenticationToken and sessionAuthenticationToken are different. And then the error will be thrown.

if i try
1AuthTokenUtil.check(PortalUtil.getHttpServletRequest(req));
the requestAuthenticationToken in the check method of SessionAuthToken is then empty / null

Can you help me also with this? Thanks
Tomas Polesovsky
RE: Auth Token for ajax calls (prevent CSRF)
June 12, 2014 4:21 AM
Answer

Tomas Polesovsky

LIFERAY STAFF

Rank: Liferay Master

Posts: 653

Join Date: February 13, 2009

Recent Posts

OK, this was harder than I thought.

Can you please try this workaround?

 1try {
 2    HttpServletRequestWrapper wrapper = new HttpServletRequestWrapper(PortalUtil.getHttpServletRequest(resourceRequest)){
 3        @Override
 4        public String getParameter(String name) {
 5            if (name.equals("p_auth")) {
 6                return PortalUtil.getOriginalServletRequest((HttpServletRequest) super.getRequest()).getParameter(name);
 7            }
 8
 9            return super.getParameter(name);
10        }
11    };
12    AuthTokenUtil.check(wrapper);
13} catch (Exception e) {
14    throw new PortletException("Invalid CSRF token!", e);
15}
H Meyer
RE: Auth Token for ajax calls (prevent CSRF)
June 12, 2014 5:09 AM
Answer

H Meyer

Rank: New Member

Posts: 5

Join Date: March 3, 2014

Recent Posts

Thanks this is working.

So can i consider this as a bug from liferay?
Tomas Polesovsky
RE: Auth Token for ajax calls (prevent CSRF)
June 12, 2014 6:00 AM
Answer

Tomas Polesovsky

LIFERAY STAFF

Rank: Liferay Master

Posts: 653

Join Date: February 13, 2009

Recent Posts

It seems it wasn't designed to work from inside of the plugin.

On the other hand, the functionality has public interface, I'd say it's part of public API, but current implementation doesn't support use from plugins.

I think it could be a bug.
Ngocha Haobam
RE: Auth Token for ajax calls (prevent CSRF)
May 24, 2015 11:38 PM
Answer

Ngocha Haobam

Rank: Junior Member

Posts: 87

Join Date: January 30, 2015

Recent Posts

Can you please tell me, where did you define ---> Liferay.authToken
Ngocha Haobam
RE: Auth Token for ajax calls (prevent CSRF)
May 25, 2015 9:03 PM
Answer

Ngocha Haobam

Rank: Junior Member

Posts: 87

Join Date: January 30, 2015

Recent Posts

Can you please tell me, where did you define ---> Liferay.authToken
Tomas Polesovsky
RE: Auth Token for ajax calls (prevent CSRF)
May 29, 2015 6:27 AM
Answer

Tomas Polesovsky

LIFERAY STAFF

Rank: Liferay Master

Posts: 653

Join Date: February 13, 2009

Recent Posts

Ngocha Haobam:
Can you please tell me, where did you define ---> Liferay.authToken


Hi,

Liferay.authToken is defined by Liferay in top_js.jspf
Arunjyoti Banik
RE: Auth Token for ajax calls (prevent CSRF)
August 27, 2016 7:46 AM
Answer

Arunjyoti Banik

Rank: Junior Member

Posts: 74

Join Date: August 25, 2014

Recent Posts

Tomas Polesovsky:
Ngocha Haobam:
Can you please tell me, where did you define ---> Liferay.authToken


Hi,

Liferay.authToken is defined by Liferay in top_js.jspf


Hi Tomas,

A little more information I need. Liferay, by default, adds the p_auth token to only Action Requests across the whole portal. Can you tell me where, that means which Java file it is defined, that the auth token will be appended only to the action requests??

Regards
Arun
Tomas Polesovsky
RE: Auth Token for ajax calls (prevent CSRF)
August 29, 2016 7:33 AM
Answer

Tomas Polesovsky

LIFERAY STAFF

Rank: Liferay Master

Posts: 653

Join Date: February 13, 2009

Recent Posts

Hi,it should be PortletUrlImpl
Arunjyoti Banik
RE: Auth Token for ajax calls (prevent CSRF)
August 31, 2016 4:46 AM
Answer

Arunjyoti Banik

Rank: Junior Member

Posts: 74

Join Date: August 25, 2014

Recent Posts

Thanks Tomas. emoticon
Artur Karwowski
RE: Auth Token for ajax calls (prevent CSRF)
November 18, 2016 8:34 AM
Answer

Artur Karwowski

Rank: New Member

Posts: 1

Join Date: July 16, 2015

Recent Posts

Hi Tomas,

Recenty I implemented a CSRF token check using an interceptor for ajax calls to the Spring DispacherServlet via PortalDelegateServlet.

github link

Could something similar be implemented for CSRF checks for Resource calls to DispacherPortlet?

Thanks,
Artur
Tomas Polesovsky
RE: Auth Token for ajax calls (prevent CSRF)
November 18, 2016 11:33 AM
Answer

Tomas Polesovsky

LIFERAY STAFF

Rank: Liferay Master

Posts: 653

Join Date: February 13, 2009

Recent Posts

Hi Artur,

thanks for the idea, but in general we cannot implement that.

Resource requests are like double-edge sword. They can serve static content but also change server state.

-> When developers serve static content there must be no CSRF token so that browser/proxy can cache the content.

-> But when developers use it in AJAX calls to change server state they must check CSRF token.

When portal framework decides to omit CSRF check or on the other hand force CSRF check it always fail one of the scenarios above, there is no win.

So the default behaviour is aligned with portlet spec which doesn't enforce any such check.

Btw. can you please spawn a new thread next time instead of poisoning this one? If you mention my name I'll see it. Thanks!
Arunjyoti Banik
RE: Auth Token for ajax calls (prevent CSRF)
December 15, 2016 8:42 AM
Answer

Arunjyoti Banik

Rank: Junior Member

Posts: 74

Join Date: August 25, 2014

Recent Posts

Great information Tomas. Thanks emoticon

Participate in the State of Liferay Community 2017. Help the community and even win some prizes!