Liferay implements a new mechanism to provide more security in URLs: the authentication token. There are two different types of Authentication tokens:

• p_auth ... Portal authentication token for CSRF protection
• p_p_auth ... Portlet authentication token for add-default-resource protection

Portal Authentication token #

Is implemented to prevent Cross Site Request forgery, as explained here: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF).

This token is included in every action request in the portal including the "p_auth" parameter in URL.

The token check can be enabled/disabled with the property "auth.token.check.enabled" in portal properties.

There are 2 whitelists in portal.properties that can be used to prevent p_auth check:

• "auth.token.ignore.actions" - a list of struts action can be specified to not be checked for an authentication token
• "auth.token.ignore.portlets" - a list of portlet ids

Indiviual portlet can be also whitelisted specifying "check-auth-token" init parameter in portlet.xml:

<init-param>
	<name>check-auth-token</name>
	<value>false</value>
</init-param>

Portlet Authentication token #

Is implemented to prevent that users can access to any portlet in any page because add-default-resource portlet is true.

This token is included in the URL with "p_p_auth" parameter.

The token check can be enabled/disabled with the property "portlet.add.default.resource.check.enabled" in portal.properties.

A whitelist of portlets or actions can be defined in portal.properties to bypass this security check, with the properties:

• "portlet.add.default.resource.check.whitelist"
• "portlet.add.default.resource.check.whitelist.actions"