How can the p_auth authorization token be generated?

Issue

  • Liferay protects itself against CSRF attacks by generating the p_auth authorization token. How can this token be created?

Environment

  • DXP 7.0, 7.1, 7.2, 7.3

Resolution

  • When "auth.token.check.enabled=true" is set in portal-ext.properties, the auth token (p_auth value) is generated as a URL parameter. This only protects URLs generated from <portlet:actionURL> or <liferay-portlet:actionURL>.
  • Invoking "auth.token.check.enabled=true" will also work for MVC portlets.
  • When Action URLs are used for <aui:form action="X">, the AUI tag will extract the p_auth parameter and add this as a hidden field which is POST'ed to the server via the HTTP request body.
  • An indirect call to com.liferay.portal.kernel.security.auth.AuthTokenUtil#checkCSRFToken is made from com.liferay.portlet.SecurityPortletContainerWrapper#checkAction. This is fundamental to portlet container implementation.

 

 

¿Fue útil este artículo?
Usuarios a los que les pareció útil: 0 de 0