Authentication Token

Liferay implements a new mechanism to provide more security in URLs: the authentication token. There are two different types of Authentication tokens:

  • p_auth ... Portal authentication token for CSRF protection
  • p_p_auth ... Portlet authentication token for add-default-resource protection

Portal Authentication token #

Is implemented to prevent Cross Site Request forgery, as explained here: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF).

This token is included in every action request in the portal including the "p_auth" parameter in URL.

The token check can be enabled/disabled with the property "auth.token.check.enabled" in portal properties.

There are 2 whitelists in portal.properties that can be used to prevent p_auth check:

  • "auth.token.ignore.actions" - a list of struts action can be specified to not be checked for an authentication token
  • "auth.token.ignore.portlets" - a list of portlet ids

Indiviual portlet can be also whitelisted specifying "check-auth-token" init parameter in portlet.xml:

<init-param>
	<name>check-auth-token</name>
	<value>false</value>
</init-param>

Portlet Authentication token #

Is implemented to prevent that users can access to any portlet in any page because add-default-resource portlet is true.

This token is included in the URL with "p_p_auth" parameter.

The token check can be enabled/disabled with the property "portlet.add.default.resource.check.enabled" in portal.properties.

A whitelist of portlets or actions can be defined in portal.properties to bypass this security check, with the properties:

  • "portlet.add.default.resource.check.whitelist"
  • "portlet.add.default.resource.check.whitelist.actions"
0 Allegati
69892 Visualizzazioni
Media (5 Voti)
La media del punteggio è 4.2 stelle su 5.
Commenti