Vue combinée Vue Plate Arborescence
Sujets [ Précédent | Suivant ]
toggle
Espen Olsen
Getting the Authentication token (p_auth) from a client side javascript app
13 septembre 2013 03:36
Réponse

Espen Olsen

Rang: New Member

Publications: 1

Date d'inscription: 29 mai 2013

Publications Récentes

I'm creating a javascript application that needs to access Liferay's jsonws API.

The user will be authenticated through an SSO solution, but I'm unsure about how I get can get the authentication token in order to make calls back to the server from javascript.

Is it possible to retrieve this value from the cookie somehow on the client side?
Vilmos Papp
RE: Getting the Authentication token (p_auth) from a client side javascript
13 septembre 2013 07:00
Réponse

Vilmos Papp

LIFERAY STAFF

Rang: Liferay Master

Publications: 521

Date d'inscription: 21 octobre 2010

Publications Récentes

Hi,

I think if you use our JS API to create the URL then it should contain the necessary parameters.

Regard,
Vilmos
Tomas Polesovsky
RE: Getting the Authentication token (p_auth) from a client side javascript
13 septembre 2013 09:16
Réponse

Tomas Polesovsky

LIFERAY STAFF

Rang: Liferay Master

Publications: 645

Date d'inscription: 13 février 2009

Publications Récentes

Hi Karl,

I understand that your application won't run in portal, it's a separate application on separate domain.

Liferay use p_auth to prevent exactly this kind of calls emoticon Don't understand it wrong, it's a security risk to allow to call JSON WS API from outside the portal with user cookies, it's called CSRF attack.

I'd try to use CORS to get p_auth safely for your application.

Simple example how to get p_auth token using CORS. Save this JSP into portal installation as tomcat/webapps/ROOT/p_auth_token_using_cors.jsp:
 1<%
 2String allowedOrigin = "http://your-server.com";
 3String allowedReferer = "http://your-server.com/your-app/";
 4String origin = request.getHeader("Origin");
 5String referer = request.getHeader("Referer");
 6
 7if(allowedOrigin.equals(origin) && (referer != null) && referer.startsWith(allowedReferer)) {
 8    response.setHeader("Access-Control-Allow-Origin", allowedOrigin);
 9    out.println(com.liferay.portal.security.auth.AuthTokenUtil.getToken(request));
10}
11%>


Then create CORS AJAX call to http://portal/p_auth_token_using_cors.jsp to get the p_auth token. Don't forget to change allowedOrigin & allowedReferer to the correct values of your application.

HTH.
Mohammad Azharuddin
RE: Getting the Authentication token (p_auth) from a client side javascript
31 octobre 2013 03:51
Réponse

Mohammad Azharuddin

Rang: Expert

Publications: 479

Date d'inscription: 17 septembre 2012

Publications Récentes

Hi Tomáš Polešovský

Does auth.token.ignore.actions property applicable for javax.portlet.action too .Because it is mentioned that it will ignore struts action...How about MVC portlet......?
Tomas Polesovsky
RE: Getting the Authentication token (p_auth) from a client side javascript
31 octobre 2013 03:57
Réponse

Tomas Polesovsky

LIFERAY STAFF

Rang: Liferay Master

Publications: 645

Date d'inscription: 13 février 2009

Publications Récentes

Hi mohammad azaruddin

only "struts_action" portlet request param is checked against auth.token.ignore.actions.
Mohammad Azharuddin
RE: Getting the Authentication token (p_auth) from a client side javascript
31 octobre 2013 06:11
Réponse

Mohammad Azharuddin

Rang: Expert

Publications: 479

Date d'inscription: 17 septembre 2012

Publications Récentes

Thank you....
I had to disable security check for entire portlet via portlet.xml...Hope this is the only option i got....


My requirnment is to send an actionUrl to remote user via e-mail and upon clicking on that link he can directly land on action class of that portlet.
Tomas Polesovsky
RE: Getting the Authentication token (p_auth) from a client side javascript
4 novembre 2013 03:23
Réponse

Tomas Polesovsky

LIFERAY STAFF

Rang: Liferay Master

Publications: 645

Date d'inscription: 13 février 2009

Publications Récentes

This is the only option for portlets that doesn't extend Liferay's MVC/Struts portlets.

Does the portlet has also other actions?

Are safe against CSRF?. By safe I mean that an attacker cannot change anything on behalf of user or the changes require some form of "secret" to be sent, instead of the token.

If the portlet has other actions and they can cause a harm, it's better to isolate your whitelisted action into a new portlet.
Mohammad Azharuddin
RE: Getting the Authentication token (p_auth) from a client side javascript
4 novembre 2013 21:07
Réponse

Mohammad Azharuddin

Rang: Expert

Publications: 479

Date d'inscription: 17 septembre 2012

Publications Récentes

HI
thank you.emoticonemoticonyeah i isolate whitelisted action into a new portlet.emoticonemoticonemoticon
Mohammad Azharuddin
RE: Getting the Authentication token (p_auth) from a client side javascript
4 novembre 2013 21:13
Réponse

Mohammad Azharuddin

Rang: Expert

Publications: 479

Date d'inscription: 17 septembre 2012

Publications Récentes

Tomáš Polešovský:
This is the only option for portlets that doesn't extend Liferay's MVC/Struts portlets.



And i extend com.liferay.util.bridges.mvc.MVCPortlet
Tomas Polesovsky
RE: Getting the Authentication token (p_auth) from a client side javascript
5 novembre 2013 04:45
Réponse

Tomas Polesovsky

LIFERAY STAFF

Rang: Liferay Master

Publications: 645

Date d'inscription: 13 février 2009

Publications Récentes

mohammad azaruddin:
Tomáš Polešovský:
This is the only option for portlets that doesn't extend Liferay's MVC/Struts portlets.



And i extend com.liferay.util.bridges.mvc.MVCPortlet


Aah, I'm sorry, a mistake emoticon MVC portlet doesn't use struts actions. So only StrutsPortlet counts emoticon

yeah i isolate whitelisted action into a new portlet.


Good! emoticon