How can the p_auth authorization token be generated?


  • Liferay protects itself against CSRF attacks by generating the p_auth authorization token. How can this token be created?


  • DXP 7.0, 7.1, 7.2, 7.3


  • When "auth.token.check.enabled=true" is set in, the auth token (p_auth value) is generated as a URL parameter. This only protects URLs generated from <portlet:actionURL> or <liferay-portlet:actionURL>.
  • Invoking "auth.token.check.enabled=true" will also work for MVC portlets.
  • When Action URLs are used for <aui:form action="X">, the AUI tag will extract the p_auth parameter and add this as a hidden field which is POST'ed to the server via the HTTP request body.
  • An indirect call to is made from com.liferay.portlet.SecurityPortletContainerWrapper#checkAction. This is fundamental to portlet container implementation.



Este artigo foi útil?
Utilizadores que acharam útil: 0 de 1