How can the p_auth authorization token be generated?

Tony Ng

更新于 2021年11月30日 17:59

Issue

Liferay protects itself against CSRF attacks by generating the p_auth authorization token. How can this token be created?

Environment

DXP 7.0, 7.1, 7.2, 7.3

Resolution

When "auth.token.check.enabled=true" is set in portal-ext.properties, the auth token (p_auth value) is generated as a URL parameter. This only protects URLs generated from <portlet:actionURL> or <liferay-portlet:actionURL>.
Invoking "auth.token.check.enabled=true" will also work for MVC portlets.
When Action URLs are used for <aui:form action="X">, the AUI tag will extract the p_auth parameter and add this as a hidden field which is POST'ed to the server via the HTTP request body.
An indirect call to com.liferay.portal.kernel.security.auth.AuthTokenUtil#checkCSRFToken is made from com.liferay.portlet.SecurityPortletContainerWrapper#checkAction. This is fundamental to portlet container implementation.