Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
Stian Sigvartsen
Token based LR 6 webservice authentication
December 7, 2011 12:49 AM
Answer

Stian Sigvartsen

Rank: Regular Member

Posts: 100

Join Date: August 27, 2010

Recent Posts

I've implemented an architecture which has Liferay as the user authenticator and authoriser such that all permissions are given to users via Liferay roles etc.

Requests to some portlets run in separate web applications on the same Tomcat host. So the Servlet request dispatcher is used and the Tomcat "crossContext" feature is set to true for these web applications to enable this to work.

Now, the complexity...

When processing such requests, occasionally it is useful to call Liferay service builder webservices to retrieve information about assets for display within the portlet.
Because Liferay's webservices require authentication, I believe this means that the servlet must know both the user's username and password to authenticate with. So the easy approach seems to be to setup a special user in Liferay which is used for all requests from these servlets.

Unfortunately this isn't what I require. I would like the webservices to be called as if the user currently logged into Liferay (who triggered the portlet request) is making the call. And I want the calls to fail (i.e. RemoteException) if the user isn't currently logged in. For example their session could have timed out.

Is anyone aware of an approach to achieving this?

The most sensible approach I can think of at present would be for Liferay to propagate a token of some sort which could be given back to the Liferay webservices when invoked. The token would simply reference an active session on Liferay. Is this possible?

Any advice would be greatly appreciated.

-Stian
Stian Sigvartsen
RE: Token based LR 6 webservice authentication
December 5, 2011 3:23 PM
Answer

Stian Sigvartsen

Rank: Regular Member

Posts: 100

Join Date: August 27, 2010

Recent Posts

After some further thought I believe that if Liferay supported OAuth as a service provider for its webservices then this would be perfect for my requirements. Though I cannot find any documentation suggesting that this is available. Any thoughts?

I see OAuth is available in portal trunk for OpenSocial and due for release with Liferay 6.1. I don't believe this meets my requirements?
Olaf Kock
RE: Token based LR 6 webservice authentication
May 14, 2012 9:12 AM
Answer

Olaf Kock

LIFERAY STAFF

Rank: Liferay Legend

Posts: 2103

Join Date: September 23, 2008

Recent Posts

I may be missing something obvious, but you seem to access your services from a Liferay Plugin - why not use the services through Java and directly call the *ServiceUtil implementations directly? This way you don't need all this extra indirections and get the ServiceContext and stay in the context of the current user
Stian Sigvartsen
RE: Token based LR 6 webservice authentication
May 21, 2012 12:07 AM
Answer

Stian Sigvartsen

Rank: Regular Member

Posts: 100

Join Date: August 27, 2010

Recent Posts

I wasn't aware that there were non-local Util classes such as UserServiceUtil. These should meet my requirements for permission checking. Thanks!

I actually need to be able to make these services accessible outside of the Java context and preferably over webservices implemented using REST or SOAP. This should be now quite possible by implementing a layer of indirection. It will probably end up as a plug-in project, requiring no changes to the Liferay core, or simply as another web application deployed to the same container. I'll have a look at the feasibility of using the Spring security implementation of OAuth 2.0 (https://github.com/SpringSource/spring-security-oauth).

-Stian