-1

I am using Liferay 6.2-ce-ga3, primefaces 6 and JSF2.1. I have enabled CSRF protection for my portlet adding the follow code in liferay portal-ext.properties and portlet portal-ext.properties:

auth.token.check.enabled=true
auth.token.impl=com.liferay.portal.security.auth.SessionAuthToken

futhermore, I've added in portlet.xml

<init-param>
  <name>check-auth-token</name>
  <value>true</value>
</init-param>

For test, I removed p_auth=<code> from my form url then I submitted the form and it's worked. That's not good, I't should not allow the request without the token.

  1. did I forget add a filter in configuration?
  2. how liferay check the p_auth?
  3. should I check manually p_auth token in my bean like this tutorial?
TuGordoBello
  • 4,350
  • 9
  • 52
  • 78

1 Answers1

1

Liferay's p_auth token protects against CSRF during the ACTION_PHASE of the portlet lifecycle. I believe that it is enabled by default in Liferay 6.2, so you shouldn't need to configure anything for it.

The p_auth token must be present for a form to submit without error during the ACTION_PHASE. However, the p_auth parameter has no effect during the RESOURCE_PHASE which is the phase where JSF Ajax form submissions are executed. So you may be dealing with a JSF Ajax request. Thankfully, JSF also has its own CSRF protection enabled by default in the view state. So you are safe from CSRF with both Ajax and non-Ajax form submissions when you use Liferay Faces.

If you confirm that p_auth has no effect during a non-Ajax form submission, there may be a security vulnerability (or an issue with your configuration). You should update to the latest version of Liferay Portal* and retest. If you are still having issues, report a secure issue: https://issues.liferay.com/secure/CreateIssue.jspa?pid=10952&issuetype=1.

*Liferay Portal 6.2 GA6 is the latest in the 6.2 line, and Liferay Portal 7.0 GA7 is the latest CE release overall. Of course there are EE releases that may have more bug fixes as well.

stiemannkj1
  • 4,418
  • 3
  • 25
  • 45