-
Authentication token in liferay
about 9 years ago
Liferay design a mechanism to more secure the web URLs using the authentication token.
Authentication tokens type:
Their are two types of Authentication tokens in the liferay. one is p_auth "Portal Authentication token" and p_p_auth "Portlet Authentication token".
Lets see in detail with eample:
p_auth
p_auth is a portal authentication token for preventing Cross Site Request Forgery attacks in the website. It's known as Portal Authentication token in the liferay.p_p_auth
p_p_auth portlet authentication token for add-default-resource protection.Portal Authentication token
Portal Authentication token implemented to prevent Cross Site Request forgery.
To prevent attack of CSRF, we need to generate Synchronizer Token Pattern and we need to associate this token with all actions.
We add this token with each URL and before execute any action or link action ,the server check the token ,if the token is valid then it will be execute the action.
The token check can be enabled/disabled with the below property:"auth.token.check.enabled" in portal properties.
Every portlet can be whitelist to specify "check-auth-token" init parameter in portlet.xml as bellow:
<init-param> <name>check-auth-token</name> <value>false</value> </init-param>Portlet Authentication token
Authentication token is designed to prevent, that users can access to any portlet in any page because add-default-resource portlet is default true. "p_p_auth" parameter included with the URL.
The token check can be enabled or disabled by below property :"portlet.add.default.resource.check.enabled" in portal.properties <add-default-resource>true</add-default-resource> in the liferay-portlet.xml.
0 Comment(s)