Preventing CSRF in Liferay
Cross Site Request Forgery (CSRF) is where an attacker tricks a user into executing malicious requests. Once you are authenticated into a web application any request coming from that browser will seem legitamate. Attackers can send users malicious links in emails, post them on forums, websites and even your own web application. The solution is to use a shared secret so that requests without the secret are ignored.
Liferay handles some of this for us through the use of authorization tokens. The auth tokens can be enabled by setting the propert “auth.token.check.enabled=true” in the portal-ext.properties file. What this does is place the “p_auth” and “p_p_auth” querystring parameters in Uniform Resource Locators (URL) when they are generated. Unfortunately this only protects URLs generated using
Example AJAX call
The next step is to take the value assigned to “p_auth” and validated it server side. This is shown below in the use of AuthTokenUtil. It relies on throwing an exception to register an invalid authorization token. This means the code in a serveResource method needs to be in a try catch block with the AuthTokenUtil.checkCSRFToken method being the first call inside the block.