Thanks Tomas for your quick response 
Below both properties i'm not using in portal-ext.properties and also checked with empty values for below properties
I'm Using server resource(AJAX) method. for submitting form. Whether any to append that parameter in url for server resource method.
In addition of above i checked in myaccount portlet also.There is no p_auth value in url.
Thanks In Advance
Manish Yadav
Below both properties i'm not using in portal-ext.properties and also checked with empty values for below properties
auth.token.ignore.actions
auth.token.ignore.portletsI'm Using server resource(AJAX) method. for submitting form. Whether any to append that parameter in url for server resource method.
In addition of above i checked in myaccount portlet also.There is no p_auth value in url.
Thanks In Advance
Manish Yadav
Ahh, got it
You are right, we don't check p_auth in resource serving.
To implement CSRF checking you need 2 things:
1, Include it into URL when submitting
2, Check it on server side and deny access to the resource when the token is invalid
For #1:
In 6.1 GA2 there is a global JS variable named Liferay.authToken. It contains CSRF token you can use from your JS and include it into the resource request call.
For #2:
it's up to you where you check it. Some thoughts:
* I don't think it's a good to check it on a global portal level, this could make portal unstable
* It's better to check it only for your portlet/functionality you want to guard.
To the implementation
- I'd create a portlet filter for the resource phase
- there I'd check the CSRF token - use AuthTokenUtil.getToken(PortalUtil.getHttpServletRequest(resourceRequest)) to obtain the token
You can then only map the filter to portlet(s) you want to guard using the CSRF token.
I hope it would to work, I didn't try it
-- tom +
You are right, we don't check p_auth in resource serving.
To implement CSRF checking you need 2 things:
1, Include it into URL when submitting
2, Check it on server side and deny access to the resource when the token is invalid
For #1:
In 6.1 GA2 there is a global JS variable named Liferay.authToken. It contains CSRF token you can use from your JS and include it into the resource request call.
For #2:
it's up to you where you check it. Some thoughts:
* I don't think it's a good to check it on a global portal level, this could make portal unstable
* It's better to check it only for your portlet/functionality you want to guard.
To the implementation
- I'd create a portlet filter for the resource phase
- there I'd check the CSRF token - use AuthTokenUtil.getToken(PortalUtil.getHttpServletRequest(resourceRequest)) to obtain the token
You can then only map the filter to portlet(s) you want to guard using the CSRF token.
I hope it would to work, I didn't try it
-- tom +
