Vista combinada Visión Plana Vista de árbol
Discusiones [ Anterior | Siguiente ]
toggle
Stian Sigvartsen
Token based LR 6 webservice authentication
7 de diciembre de 2011 0:49
Respuesta

Stian Sigvartsen

Ranking: Regular Member

Mensajes: 103

Fecha de incorporación: 27 de agosto de 2010

Mensajes recientes

I've implemented an architecture which has Liferay as the user authenticator and authoriser such that all permissions are given to users via Liferay roles etc.

Requests to some portlets run in separate web applications on the same Tomcat host. So the Servlet request dispatcher is used and the Tomcat "crossContext" feature is set to true for these web applications to enable this to work.

Now, the complexity...

When processing such requests, occasionally it is useful to call Liferay service builder webservices to retrieve information about assets for display within the portlet.
Because Liferay's webservices require authentication, I believe this means that the servlet must know both the user's username and password to authenticate with. So the easy approach seems to be to setup a special user in Liferay which is used for all requests from these servlets.

Unfortunately this isn't what I require. I would like the webservices to be called as if the user currently logged into Liferay (who triggered the portlet request) is making the call. And I want the calls to fail (i.e. RemoteException) if the user isn't currently logged in. For example their session could have timed out.

Is anyone aware of an approach to achieving this?

The most sensible approach I can think of at present would be for Liferay to propagate a token of some sort which could be given back to the Liferay webservices when invoked. The token would simply reference an active session on Liferay. Is this possible?

Any advice would be greatly appreciated.

-Stian
Stian Sigvartsen
RE: Token based LR 6 webservice authentication
5 de diciembre de 2011 15:23
Respuesta

Stian Sigvartsen

Ranking: Regular Member

Mensajes: 103

Fecha de incorporación: 27 de agosto de 2010

Mensajes recientes

After some further thought I believe that if Liferay supported OAuth as a service provider for its webservices then this would be perfect for my requirements. Though I cannot find any documentation suggesting that this is available. Any thoughts?

I see OAuth is available in portal trunk for OpenSocial and due for release with Liferay 6.1. I don't believe this meets my requirements?
Olaf Kock
RE: Token based LR 6 webservice authentication
14 de mayo de 2012 9:12
Respuesta

Olaf Kock

LIFERAY STAFF

Ranking: Liferay Legend

Mensajes: 2722

Fecha de incorporación: 23 de septiembre de 2008

Mensajes recientes

I may be missing something obvious, but you seem to access your services from a Liferay Plugin - why not use the services through Java and directly call the *ServiceUtil implementations directly? This way you don't need all this extra indirections and get the ServiceContext and stay in the context of the current user
Stian Sigvartsen
RE: Token based LR 6 webservice authentication
21 de mayo de 2012 0:07
Respuesta

Stian Sigvartsen

Ranking: Regular Member

Mensajes: 103

Fecha de incorporación: 27 de agosto de 2010

Mensajes recientes

I wasn't aware that there were non-local Util classes such as UserServiceUtil. These should meet my requirements for permission checking. Thanks!

I actually need to be able to make these services accessible outside of the Java context and preferably over webservices implemented using REST or SOAP. This should be now quite possible by implementing a layer of indirection. It will probably end up as a plug-in project, requiring no changes to the Liferay core, or simply as another web application deployed to the same container. I'll have a look at the feasibility of using the Spring security implementation of OAuth 2.0 (https://github.com/SpringSource/spring-security-oauth).

-Stian