Forums de discussion

  1. Accueil
  2. Development
  3. Getting the Authentication token (p_auth) from a client side javascript app

Getting the Authentication token (p_auth) from a client side javascript app

Espen Aune Olsen, modifié il y a 10 années.

Getting the Authentication token (p_auth) from a client side javascript app

New Member Envoyer: 1 Date d'inscription: 29/05/13 Publications récentes
I'm creating a javascript application that needs to access Liferay's jsonws API.

The user will be authenticated through an SSO solution, but I'm unsure about how I get can get the authentication token in order to make calls back to the server from javascript.

Is it possible to retrieve this value from the cookie somehow on the client side?
thumbnail
Vilmos Papp, modifié il y a 10 années.

RE: Getting the Authentication token (p_auth) from a client side javascript

Liferay Master Publications: 529 Date d'inscription: 21/10/10 Publications récentes
Hi,

I think if you use our JS API to create the URL then it should contain the necessary parameters.

Regard,
Vilmos
thumbnail
Tomáš Polešovský, modifié il y a 10 années.

RE: Getting the Authentication token (p_auth) from a client side javascript

Liferay Master Publications: 676 Date d'inscription: 13/02/09 Publications récentes
Hi Karl,

I understand that your application won't run in portal, it's a separate application on separate domain.

Liferay use p_auth to prevent exactly this kind of calls emoticon Don't understand it wrong, it's a security risk to allow to call JSON WS API from outside the portal with user cookies, it's called CSRF attack.

I'd try to use CORS to get p_auth safely for your application.

Simple example how to get p_auth token using CORS. Save this JSP into portal installation as tomcat/webapps/ROOT/p_auth_token_using_cors.jsp:
<%
String allowedOrigin = "http://your-server.com";
String allowedReferer = "http://your-server.com/your-app/";
String origin = request.getHeader("Origin");
String referer = request.getHeader("Referer");

if(allowedOrigin.equals(origin) && (referer != null) && referer.startsWith(allowedReferer)) {
    response.setHeader("Access-Control-Allow-Origin", allowedOrigin);
    out.println(com.liferay.portal.security.auth.AuthTokenUtil.getToken(request));
}
%>


Then create CORS AJAX call to http://portal/p_auth_token_using_cors.jsp to get the p_auth token. Don't forget to change allowedOrigin & allowedReferer to the correct values of your application.

HTH.
thumbnail
mohammad azaruddin, modifié il y a 10 années.

RE: Getting the Authentication token (p_auth) from a client side javascript

Expert Publications: 492 Date d'inscription: 17/09/12 Publications récentes
Hi Tomáš Polešovský

Does auth.token.ignore.actions property applicable for javax.portlet.action too .Because it is mentioned that it will ignore struts action...How about MVC portlet......?
thumbnail
Tomáš Polešovský, modifié il y a 10 années.

RE: Getting the Authentication token (p_auth) from a client side javascript

Liferay Master Publications: 676 Date d'inscription: 13/02/09 Publications récentes
Hi mohammad azaruddin

only "struts_action" portlet request param is checked against auth.token.ignore.actions.
thumbnail
mohammad azaruddin, modifié il y a 10 années.

RE: Getting the Authentication token (p_auth) from a client side javascript

Expert Publications: 492 Date d'inscription: 17/09/12 Publications récentes
Thank you....
I had to disable security check for entire portlet via portlet.xml...Hope this is the only option i got....


My requirnment is to send an actionUrl to remote user via e-mail and upon clicking on that link he can directly land on action class of that portlet.
thumbnail
Tomáš Polešovský, modifié il y a 10 années.

RE: Getting the Authentication token (p_auth) from a client side javascript

Liferay Master Publications: 676 Date d'inscription: 13/02/09 Publications récentes
This is the only option for portlets that doesn't extend Liferay's MVC/Struts portlets.

Does the portlet has also other actions?

Are safe against CSRF?. By safe I mean that an attacker cannot change anything on behalf of user or the changes require some form of "secret" to be sent, instead of the token.

If the portlet has other actions and they can cause a harm, it's better to isolate your whitelisted action into a new portlet.
thumbnail
mohammad azaruddin, modifié il y a 10 années.

RE: Getting the Authentication token (p_auth) from a client side javascript

Expert Publications: 492 Date d'inscription: 17/09/12 Publications récentes
HI
thank you.emoticonemoticonyeah i isolate whitelisted action into a new portlet.emoticonemoticonemoticon
thumbnail
mohammad azaruddin, modifié il y a 10 années.

RE: Getting the Authentication token (p_auth) from a client side javascript

Expert Publications: 492 Date d'inscription: 17/09/12 Publications récentes
Tomáš Polešovský:
This is the only option for portlets that doesn't extend Liferay's MVC/Struts portlets.



And i extend com.liferay.util.bridges.mvc.MVCPortlet
thumbnail
Tomáš Polešovský, modifié il y a 10 années.

RE: Getting the Authentication token (p_auth) from a client side javascript

Liferay Master Publications: 676 Date d'inscription: 13/02/09 Publications récentes
mohammad azaruddin:
Tomáš Polešovský:
This is the only option for portlets that doesn't extend Liferay's MVC/Struts portlets.



And i extend com.liferay.util.bridges.mvc.MVCPortlet


Aah, I'm sorry, a mistake emoticon MVC portlet doesn't use struts actions. So only StrutsPortlet counts emoticon

yeah i isolate whitelisted action into a new portlet.


Good! emoticon