Here’s a sample CURL request with the cookie and CSRF token: curl -H 'Cookie: JSESSIONID=27D7C95648D7CDBE3347601FC4543F5D' To do a cookie request from inside Liferay DXP, from JavaScript code or a Java Parameter, or by adding the URL to the whitelist of CSRF allowed URLs or disabling CSRFĬhecks altogether with the. property (application level). You must also provide the CSRF token by passing it in the p_auth query To do a request from outside Liferay DXP you must provide the Cookie identifier Token (a Cross-Site Request Forgery-CSRF-token). You can call the REST APIs using the existing session from outside Liferay DXPīy passing the session identifier (the cookie reference) and the Liferay Auth Using Cookie Authentication or Making Requests from the UI Permission to access, just like the response from Basic authentication. Once you have a valid OAuth 2.0 token, include it in the request’sĪuthorization header, specifying that the authentication type is aįor example: curl -H "Authorization: Bearer d5571ff781dc555415c478872f0755c773fa159" The response contains the resources that the authenticated user has Invoking the Service with an OAuth 2.0 Token To do this, see the tutorialĪuthorizing Account Access with OAuth 2. Next, you must get an OAuth 2.0 access token. ID and Client Secret values that appear at the top of the form. When creating the application, fill inĪpplication Name: Your application’s name.Īllowed Authorization Types: Check Client Credentials.Īfter clicking Save to finish creating the application, write down the Client (your web API’s consumer) as an authorized OAuth client. The following sections show you how to use OAuth 2.0 to authenticate web APIīefore using OAuth 2.0 to invoke a web API, you must register your application Liferay DXP 7.2 supports authorization via OAuth 2.0, which is a token-basedĪuthorization mechanism. "friendlyUrlPath": "authenticated-requests", "alternativeHeadline": "How to work with OAuth", Here’s an example of the opensslĬommand for encoding the user:password string for a user the password Liferay: openssl base64 We are happy to announce.", To do so, you can use openssl or a Base64 encoder. Basic Authenticationīasic authentication requires that you send an HTTP Authorization headerĬontaining the encoded user name and password. Requests to the APIs by sending the session token.įirst, you’ll learn how send requests with basic authentication. SeeĬookie/Session authentication: From inside the portal you can make direct OAuth 2.0: In Liferay DXP 7.2, you can use OAuth 2.0 for authentication. This is the simplest authentication protocol (available since There are three authentication mechanisms available when invoking web APIs:īasic Authentication: Sends the user credentials as an encoded user nameĪnd password pair. In this case, our application is vulnerable to CSRF like a stateful application: As the cookie will be sent automatically with any REST requests, a click on a malicious link can perform authenticated operations.To make an authenticated request, you must authenticate as a specific User. Of course, to keep our API stateless, we must never use the session on the server-side. This is typically what Spring Security provides with the JSESSIONID cookie. However, by doing this, our application will be vulnerable to XSS attacks like in the previous section.Īn alternative approach is to authenticate the requests from a session cookie, with the HTTP-only flag set to true. However, the HTTP-only flag must be turned to false to let our client read the cookie. In this case, our application is not vulnerable to CSRF: Even if the cookie is sent automatically across a malicious request, our REST API will read credentials from the authorization header and not from the cookie. Our JavaScript client will have to read the token and send it to the API in the authorization header. We can use a cookie to persist the credentials only, like a JWT, but not to authenticate the user. Then, the vulnerability of our application depends on how our application uses the cookie. Another option is to use a cookie to persist the credentials.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |