Documentation

Liferay provides a rich store of resources and knowledge to help our community better use and work with our technology.

Table of Contents »
Properties Reference »
Authentication Token

Authentication Token

Set this to true to enable authentication token security checks. The checks can be disabled for specific actions via the property auth.token.ignore.actions or for specific portlets via the init parameter check-auth-token in portlet.xml.

auth.token.check.enabled=true

Set the authentication token class. This class must implement com.liferay.portal.security.auth.AuthToken. This class is used to prevent CSRF attacks. See http://issues.liferay.com/browse/LPS-8399 for more information.

auth.token.impl=com.liferay.portal.security.auth.SessionAuthToken

Input a list of comma delimited struts actions that will not be checked for an authentication token.

auth.token.ignore.actions=\
    /asset/rss,\
    \
    /asset_publisher/edit_article_discussion,\
    /asset_publisher/edit_entry_discussion,\
    /asset_publisher/edit_file_entry_discussion,\
    /asset_publisher/edit_page_discussion,\
    \
    /blogs/edit_entry,\
    /blogs/edit_entry_discussion,\
    /blogs/rss,\
    \
    /blogs_aggregator/edit_entry,\
    /blogs_aggregator/edit_entry_discussion,\
    /blogs_aggregator/rss,\
    \
    /calendar/edit_event_discussion,\
    \
    /document_library/edit_file_entry,\
    /document_library/edit_file_entry_discussion,\
    \
    /document_library_display/edit_file_entry,\
    /document_library_display/edit_file_entry_discussion,\
    \
    /journal/edit_article_discussion,\
    /journal/rss,\
    \
    /journal_content/edit_article_discussion,\
    \
    /image_gallery_display/edit_file_entry,\
    /image_gallery_display/edit_image,\
    \
    /login/login,\
    \
    /message_boards/edit_discussion,\
    /message_boards/edit_message,\
    /message_boards/rss,\
    \
    /my_sites/view,\
    \
    /page_comments/edit_page_discussion,\
    \
    /shopping/edit_order_discussion,\
    \
    /software_catalog/edit_product_entry_discussion,\
    \
    /wiki/edit_page,\
    /wiki/edit_page_attachment,\
    /wiki/edit_page_discussion,\
    /wiki/get_page_attachment,\
    /wiki/rss,\
    \
    /wiki_admin/edit_page_attachment,\
    \
    /wiki_display/edit_page_discussion

Set a list of comma delimited portlet ids that will not be checked for an authentication token.

auth.token.ignore.portlets=82

Set the shared secret that is used for requests where it is not possible to generate an authentication token (i.e. WSRP).

auth.token.shared.secret=BAHyWOT9TbPB
Table of Contents »
Properties Reference »
Authentication Token