Access to API's without p_auth

掲示板

6年前に Peter Helgren によって更新されました。

Access to API's without p_auth

Regular Member 投稿: 124 参加年月日: 13/11/14 最新の投稿

Before proceeding: Yes, I know that the p_auth token is a CSRF protection mechanism. I am thankful it is there! But I have several API's that I access without the need for authentication. These are a few "marketing" portlets that present data from our database to the public (i.e. guest) BEFORE they create an account and sign in. I currently am using the MVCResourceCommand to access these resources from the portlet and would like to do it without authentication. Is there a way to do that without modifying the portal-ext.properties? Optimally, it would be great if I could be pretty granular with which methods can be invoked without a p_auth token, but if I have to create individual portlets, I can do so. Most important is just being able to access the exposed API without a token.

I have seen suggestions like: @AccessControlled(guestAccessEnabled=true) (didn't work ....may have implemented incorrectly.) and:


	 //Ignore code
	   /**
	        * To by-pass authentication token for non-logged in user. 
	        * Error: Invalid authentication token
	        * @return
	        */
	       protected boolean isCheckMethodOnProcessAction() {
	           return CHECK_METHOD_ON_PROCESS_ACTION;
	       }
	       
	       private static final boolean CHECK_METHOD_ON_PROCESS_ACTION = false;

(didn't work ....may have implemented incorrectly.)

Ideas?

6年前に Tomas Polesovsky によって更新されました。

RE: Access to API's without p_auth

Liferay Master 投稿: 676 参加年月日: 09/02/13 最新の投稿

Hi,

if you are on 7.0 you can use Service Access Policy and whitelist the API in "System Default" policy.