Forums

Home » Liferay Portal » English » 3. Development

Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
Cameron McBride
How to lock down the login portlet with https?
January 28, 2012 11:04 AM
Answer

Cameron McBride

Rank: Expert

Posts: 273

Join Date: February 8, 2011

Recent Posts

We have an externally hosted site with Omegabit and Liferay 6.0.6 CE. We have set up a https certificate and added the company.security.auth.requires.https=true to the portal-ext.properties file.

What works:
If the user clicks sign in at the top, they are redirected to https and land on the login portlet.

What doesnt work:
If the user goes to the home page we have some welcome message and the login portlet. The form post url for the login portlet is not https. Looking at the code for the login.jsp I do not understand why it is not an https url:
1        <portlet:actionURL secure="<%= PropsValues.COMPANY_SECURITY_AUTH_REQUIRES_HTTPS || request.isSecure() %>" var="loginURL">
2            <portlet:param name="saveLastPath" value="0" />
3            <portlet:param name="struts_action" value="/login/login" />
4        </portlet:actionURL>


I even tried changing it to just secure="true" for a test and it did not seem to make a difference. What would cause that to be ignored and a http url be generated?

Is there any other easy way to lock this thing down to https?

Thanks!
Tony Rad
RE: How to lock down the login portlet with https?
January 28, 2012 6:03 PM
Answer

Tony Rad

Rank: Junior Member

Posts: 29

Join Date: February 25, 2011

Recent Posts

Hi Cameron,

assuming you are using tomcat.
1) Double check that TOMCAT_HOME/conf/server.xml is redirecting to port 443 http traffic:
1
2<Connector port="80" protocol="HTTP/1.1"
3           connectionTimeout="20000"
4           [b]redirectPort="443"[/b] />


2) modify the portal web.xml (TOMCAT_HOME/ROOT/web.xml) file adding the following:
 1
 2<security-constraint>
 3   <display-name>Security Constraint</display-name>
 4   <web-resource-collection>
 5      <web-resource-name>Protected Area</web-resource-name>
 6      <!-- Define the context-relative URL(s) to be protected -->
 7      <url-pattern>/*</url-pattern>
 8      <!-- If you list http methods, only those methods are protected -->
 9   </web-resource-collection>
10   <auth-constraint>
11      <!-- Anyone with one of the listed roles may access this area -->
12      <role-name>source</role-name>
13   </auth-constraint>
14   <user-data-constraint>
15      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
16   </user-data-constraint>
17</security-constraint>
18
19<!-- Default login configuration uses form-based authentication -->
20<login-config>
21   <auth-method>FORM</auth-method>
22   <realm-name>Form-Based Authentication Area</realm-name>
23   <form-login-config>
24     <form-login-page>[b]PATH_TO LOGIN_PAGE[/b]</form-login-page>
25     <form-error-page>[b]PATH_TO ERR_PAGE[/b]</form-error-page>
26   </form-login-config>
27</login-config>




Regards