
Authentication Token
Liferay implements a new mechanism to provide more security in URLs: the authentication token. There are two different types of Authentication tokens:
- p_auth ... Portal authentication token for CSRF protection
- p_p_auth ... Portlet authentication token for add-default-resource protection
Portal Authentication token #
Is implemented to prevent Cross Site Request forgery, as explained here: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF).
This token is included in every action request in the portal including the "p_auth" parameter in URL.
The token check can be enabled/disabled with the property "auth.token.check.enabled" in portal properties.
There are 2 whitelists in portal.properties that can be used to prevent p_auth check:
- "auth.token.ignore.actions" - a list of struts action can be specified to not be checked for an authentication token
- "auth.token.ignore.portlets" - a list of portlet ids
Indiviual portlet can be also whitelisted specifying "check-auth-token" init parameter in portlet.xml:
<init-param> <name>check-auth-token</name> <value>false</value> </init-param>
Portlet Authentication token #
Is implemented to prevent that users can access to any portlet in any page because add-default-resource portlet is true.
This token is included in the URL with "p_p_auth" parameter.
The token check can be enabled/disabled with the property "portlet.add.default.resource.check.enabled" in portal.properties.
A whitelist of portlets or actions can be defined in portal.properties to bypass this security check, with the properties:
- "portlet.add.default.resource.check.whitelist"
- "portlet.add.default.resource.check.whitelist.actions"