Home » Liferay Portal » English » 3. Development

Combination View Flat View Tree View
Threads [ Previous | Next ]
Peter Helgren
Access to API's without p_auth
July 26, 2017 8:11 AM

Peter Helgren

Rank: Regular Member

Posts: 124

Join Date: November 13, 2013

Recent Posts

Before proceeding: Yes, I know that the p_auth token is a CSRF protection mechanism. I am thankful it is there! But I have several API's that I access without the need for authentication. These are a few "marketing" portlets that present data from our database to the public (i.e. guest) BEFORE they create an account and sign in. I currently am using the MVCResourceCommand to access these resources from the portlet and would like to do it without authentication. Is there a way to do that without modifying the Optimally, it would be great if I could be pretty granular with which methods can be invoked without a p_auth token, but if I have to create individual portlets, I can do so. Most important is just being able to access the exposed API without a token.

I have seen suggestions like: @AccessControlled(guestAccessEnabled=true) (didn't work ....may have implemented incorrectly.) and:

 2     //Ignore code
 3       /**
 4            * To by-pass authentication token for non-logged in user.
 5            * Error: Invalid authentication token
 6            * @return
 7            */
 8           protected boolean isCheckMethodOnProcessAction() {
 9               return CHECK_METHOD_ON_PROCESS_ACTION;
10           }
12           private static final boolean CHECK_METHOD_ON_PROCESS_ACTION = false;

(didn't work ....may have implemented incorrectly.)

Tomas Polesovsky
RE: Access to API's without p_auth
July 28, 2017 2:31 PM

Tomas Polesovsky


Rank: Liferay Master

Posts: 653

Join Date: February 13, 2009

Recent Posts


if you are on 7.0 you can use Service Access Policy and whitelist the API in "System Default" policy.

Participate in the State of Liferay Community 2017. Help the community and even win some prizes!