Forums de discussion
the cookie in iframe portlet
Bill Butler, modifié il y a 15 années.
the cookie in iframe portlet
New Member Publications: 16 Date d'inscription: 24/08/06 Publications récentes
I am developing a 'portlet' to deploy in liferay using liferay's iframe portlet. I'd like to access the user credentials passed by liferay in the cookie in the http header.
When I print out the cookie while testing I get something like:
JSESSIONID=B1080D65F711EAA5755FE887751319D8; GUEST_LANGUAGE_ID=en_US; SCREEN_NAME=354533767934545a4742513d; LOGIN=776275746c657240706172746e6572732e6f7267; COOKIE_SUPPORT=true; JSESSIONID=901C41A3DCA505DFB53C06D32BDD4763; COMPANY_ID=1; ID=686d49483333762f527a6b3d; PASSWORD=6e32424d6c626661475a553d
I assume that several of those fields are based on fields with similar names in the user_ table.
What is the hash algorithm here? I don't think it's the base 64 encoding of SHA1 digest used by liferay for the password in the Basic authentication header.
Thanks,
Bill Butler
When I print out the cookie while testing I get something like:
JSESSIONID=B1080D65F711EAA5755FE887751319D8; GUEST_LANGUAGE_ID=en_US; SCREEN_NAME=354533767934545a4742513d; LOGIN=776275746c657240706172746e6572732e6f7267; COOKIE_SUPPORT=true; JSESSIONID=901C41A3DCA505DFB53C06D32BDD4763; COMPANY_ID=1; ID=686d49483333762f527a6b3d; PASSWORD=6e32424d6c626661475a553d
I assume that several of those fields are based on fields with similar names in the user_ table.
What is the hash algorithm here? I don't think it's the base 64 encoding of SHA1 digest used by liferay for the password in the Basic authentication header.
Thanks,
Bill Butler
Bill Butler, modifié il y a 15 années.
RE: the cookie in iframe portlet
New Member Publications: 16 Date d'inscription: 24/08/06 Publications récentes
This gave me motivation finally to install the ext environment.
Suppose we have User u and Company c.
c has a field in the corresponding company table named key_. key_ deserializes into an object of class javax.crypto.spec.SecretKeySpec (I guess liferay provides this when you instantiate and save a Company object). You can get such an object by hand by invoking the stringToObject method of com.liferay.portal.kernel.util.Base64 on it, or, if liferay has handed you a company object, by invoking its getKeyObj() method.
Extracting from the liferay source code (mainly com.liferay.util.Encryptor, com.liferay.portal.util.CookieKeys, and com.liferay.portal.action.LoginAction), reexpressing things in jython, and making sure everything we need is in the class path gives:
from javax.crypto import Cipher
from org.apache.commons.codec.binary import Hex
from com.liferay.portal.kernel.util import Base64
from java.lang import String
def encrypt(keyObj, plainText):
ENCODING="UTF-8"
cipher = Cipher.getInstance(keyObj.getAlgorithm());
cipher.init(Cipher.ENCRYPT_MODE, keyObj)
decryptedBytes = String(plainText).getBytes(ENCODING);
encryptedBytes = cipher.doFinal(decryptedBytes)
b64=String(Base64.encode(encryptedBytes))
return String(Hex.encodeHex(b64.getBytes()))
# (um, after saving I note that the indentation--needed by python--is lost when this post is displayed)
# such that calling
encrypt(c.getKeyObj(), 'a real screen name')
# returns the screen name seen in the cookie in the previous post. You can also pass the userId (as a String) to get the LOGIN and the raw password to get the PASSWORD respectively in the cookie in the post above.
Thanks,
BB
Suppose we have User u and Company c.
c has a field in the corresponding company table named key_. key_ deserializes into an object of class javax.crypto.spec.SecretKeySpec (I guess liferay provides this when you instantiate and save a Company object). You can get such an object by hand by invoking the stringToObject method of com.liferay.portal.kernel.util.Base64 on it, or, if liferay has handed you a company object, by invoking its getKeyObj() method.
Extracting from the liferay source code (mainly com.liferay.util.Encryptor, com.liferay.portal.util.CookieKeys, and com.liferay.portal.action.LoginAction), reexpressing things in jython, and making sure everything we need is in the class path gives:
from javax.crypto import Cipher
from org.apache.commons.codec.binary import Hex
from com.liferay.portal.kernel.util import Base64
from java.lang import String
def encrypt(keyObj, plainText):
ENCODING="UTF-8"
cipher = Cipher.getInstance(keyObj.getAlgorithm());
cipher.init(Cipher.ENCRYPT_MODE, keyObj)
decryptedBytes = String(plainText).getBytes(ENCODING);
encryptedBytes = cipher.doFinal(decryptedBytes)
b64=String(Base64.encode(encryptedBytes))
return String(Hex.encodeHex(b64.getBytes()))
# (um, after saving I note that the indentation--needed by python--is lost when this post is displayed)
# such that calling
encrypt(c.getKeyObj(), 'a real screen name')
# returns the screen name seen in the cookie in the previous post. You can also pass the userId (as a String) to get the LOGIN and the raw password to get the PASSWORD respectively in the cookie in the post above.
Thanks,
BB