- Liferay protects itself against CSRF attacks by generating the p_auth authorization token. How can this token be created?
- DXP 7.0, 7.1, 7.2, 7.3
- When "auth.token.check.enabled=true" is set in portal-ext.properties, the auth token (p_auth value) is generated as a URL parameter. This only protects URLs generated from <portlet:actionURL> or <liferay-portlet:actionURL>.
- Invoking "auth.token.check.enabled=true" will also work for MVC portlets.
- When Action URLs are used for <aui:form action="X">, the AUI tag will extract the p_auth parameter and add this as a hidden field which is POST'ed to the server via the HTTP request body.
An indirect call to com.liferay.portal.kernel.security.auth.AuthTokenUtil#checkCSRFToken is made from com.liferay.portlet.SecurityPortletContainerWrapper#checkAction. This is fundamental to portlet container implementation.
Subscriber Exclusive Content
A Liferay Enterprise Subscription provides access to over 1,500 articles that include best practices, troubleshooting, and other valuable solutions. Sign in for full access.Sign In