Access to API's without p_auth

Foros de discusión

Peter Helgren, modificado hace 6 años.

Access to API's without p_auth

Regular Member Mensajes: 124 Fecha de incorporación: 14/11/13 Mensajes recientes

Before proceeding: Yes, I know that the p_auth token is a CSRF protection mechanism. I am thankful it is there! But I have several API's that I access without the need for authentication. These are a few "marketing" portlets that present data from our database to the public (i.e. guest) BEFORE they create an account and sign in. I currently am using the MVCResourceCommand to access these resources from the portlet and would like to do it without authentication. Is there a way to do that without modifying the portal-ext.properties? Optimally, it would be great if I could be pretty granular with which methods can be invoked without a p_auth token, but if I have to create individual portlets, I can do so. Most important is just being able to access the exposed API without a token.

I have seen suggestions like: @AccessControlled(guestAccessEnabled=true) (didn't work ....may have implemented incorrectly.) and:


	 //Ignore code
	   /**
	        * To by-pass authentication token for non-logged in user. 
	        * Error: Invalid authentication token
	        * @return
	        */
	       protected boolean isCheckMethodOnProcessAction() {
	           return CHECK_METHOD_ON_PROCESS_ACTION;
	       }
	       
	       private static final boolean CHECK_METHOD_ON_PROCESS_ACTION = false;

(didn't work ....may have implemented incorrectly.)

Ideas?

Tomas Polesovsky, modificado hace 6 años.

RE: Access to API's without p_auth

Liferay Master Mensajes: 676 Fecha de incorporación: 13/02/09 Mensajes recientes

Hi,

if you are on 7.0 you can use Service Access Policy and whitelist the API in "System Default" policy.