LiferayPortletURLs Generated For a .War File Do Not Have Authentication Token

This article is a legacy article. It applies to previous versions of the Liferay product. While the article is no longer maintained, the information may still be applicable.

Subscribers often develop custom portlets and themes based on the APIs Liferay provides. As part of the portlet and theme development processes and as a security measure, Liferay has implemented auth tokens in the URLs; each portlet has a p_p_auth token in the URL.

The token check can be enabled or disabled with the propertyportlet.add.default.resource.check.enabledin

A white list of portlets or actions can be defined in to bypass this security check:

Looking at the Java classes, when PortletURLFactoryUtil is called from a portlet, a LiferayPortletURL object is returned. However, if the portlet is not properly configured, the LiferayPortletURL that is returned will not have an authentication token that is required for the particular object to be of use.


  1. The file liferay-portlet.xml contains all the "out of the box" portlets' properties. Subscribers developing a custom portlet can include the information about their portlet here.
  2. To ensure that the p_p_auth token is generated, add true
  3. Save the file.
  4. Start the portal.

Additional Information

0 人中有 0 人觉得有帮助