Forums de discussion
Autologin
darren rose, modifié il y a 8 années.
Autologin
Regular Member Publications: 215 Date d'inscription: 04/04/15 Publications récentes
Hi,
I need to email users a link, which they may click to auto login
The link will need to contain the path to a specific portlet and some custom parameters used to perform authentication
Any help welcomed on implementing an auto login hook, and redirecting to a particular path.
I am using Liferay 6.2 CE bundled with Tomcat 7
regards
I need to email users a link, which they may click to auto login
The link will need to contain the path to a specific portlet and some custom parameters used to perform authentication
Any help welcomed on implementing an auto login hook, and redirecting to a particular path.
I am using Liferay 6.2 CE bundled with Tomcat 7
regards
David H Nebinger, modifié il y a 8 années.
RE: Autologin
Liferay Legend Publications: 14919 Date d'inscription: 02/09/06 Publications récentes
Gonna be tough. The Liferay code to authenticate is buried in portal-impl.jar so it's not exposed to a non-core portlet.
The email link and parameters is pretty easy in comparison.
I guess your best reference is probably the Liferay email verification (you create account, Liferay sends you email, it gets you into the "set password" page).
The email link and parameters is pretty easy in comparison.
I guess your best reference is probably the Liferay email verification (you create account, Liferay sends you email, it gets you into the "set password" page).
darren rose, modifié il y a 8 années.
RE: Autologin
Regular Member Publications: 215 Date d'inscription: 04/04/15 Publications récentesDavid H Nebinger:
Gonna be tough. The Liferay code to authenticate is buried in portal-impl.jar so it's not exposed to a non-core portlet.
The email link and parameters is pretty easy in comparison.
I guess your best reference is probably the Liferay email verification (you create account, Liferay sends you email, it gets you into the "set password" page).
What about a hook that implements auto login?
David H Nebinger, modifié il y a 8 années.
RE: Autologin
Liferay Legend Publications: 14919 Date d'inscription: 02/09/06 Publications récentes
A hook is not a portlet on a page...
darren rose, modifié il y a 8 années.
RE: Autologin
Regular Member Publications: 215 Date d'inscription: 04/04/15 Publications récentes
and?
darren rose, modifié il y a 8 années.
RE: Autologin
Regular Member Publications: 215 Date d'inscription: 04/04/15 Publications récentesdarren rose:
and?
Hi,
Is it possible to have a link, that a user can click, then logs then in without intervention and takes them to a specified page
e.g.
server.com/portal/path/to/protected/page?p1=xyz&p2=abc&p3=ghgh&pt5=md5ofotherswithsalt
the parameters are checked and provided valid the user is identified and logged in and take the the page
regards
darren rose, modifié il y a 8 années.
RE: Autologin
Regular Member Publications: 215 Date d'inscription: 04/04/15 Publications récentesdarren rose:
darren rose:and?
Hi,
Is it possible to have a link, that a user can click, then logs then in without intervention and takes them to a specified page
e.g.
server.com/portal/path/to/protected/page?p1=xyz&p2=abc&p3=ghgh&pt5=md5ofotherswithsalt
the parameters are checked and provided valid the user is identified and logged in and take the the page
regards
If I implement this:
https://docs.liferay.com/portal/6.2/javadocs/com/liferay/portal/security/auth/AutoLogin.html
I have access to the entire request and response objects and can set the location right?
regards
David H Nebinger, modifié il y a 8 années.
RE: Autologin
Liferay Legend Publications: 14919 Date d'inscription: 02/09/06 Publications récentesdarren rose:
If I implement this:
https://docs.liferay.com/portal/6.2/javadocs/com/liferay/portal/security/auth/AutoLogin.html
I have access to the entire request and response objects and can set the location right?
Yep.
So your custom portlet on the special page can check the parameters to ensure they are correct and then redirect back to the portal using a specially crafted URL which can be used by your auto login hook to authenticate and 'log in' the user.
darren rose, modifié il y a 8 années.
RE: Autologin
Regular Member Publications: 215 Date d'inscription: 04/04/15 Publications récentes
I have successfully perform the following auto login by:
adding the following to portal-ext.properties
auto.login.hooks=com.liferay.portal.security.auth.ParameterAutoLogin
on a development server with Liferay running as root context this works:
http://dev1:8080/web/guest/test-auto-login1?parameterAutoLoginLogin=123456¶meterAutoLoginPassword=test123
but on our pre prod servers with Liferay running as /portal, the below does not work
http://preprod:8080/portal/web/guest/test-auto-login1?parameterAutoLoginLogin=123456¶meterAutoLoginPassword=test123
Liferay 6.2 CE is used in both cases, is there something related to the context that affects how ParameterAutoLogin works?
regards
adding the following to portal-ext.properties
auto.login.hooks=com.liferay.portal.security.auth.ParameterAutoLogin
on a development server with Liferay running as root context this works:
http://dev1:8080/web/guest/test-auto-login1?parameterAutoLoginLogin=123456¶meterAutoLoginPassword=test123
but on our pre prod servers with Liferay running as /portal, the below does not work
http://preprod:8080/portal/web/guest/test-auto-login1?parameterAutoLoginLogin=123456¶meterAutoLoginPassword=test123
Liferay 6.2 CE is used in both cases, is there something related to the context that affects how ParameterAutoLogin works?
regards
darren rose, modifié il y a 8 années.
RE: Autologin
Regular Member Publications: 215 Date d'inscription: 04/04/15 Publications récentes
we are using:
company.security.auth.type=screenName
company.security.auth.type=screenName
David H Nebinger, modifié il y a 8 années.
RE: Autologin
Liferay Legend Publications: 14919 Date d'inscription: 02/09/06 Publications récentes
There's nothing in there which indicates that it would be based on portal context.
It does verify the screen name and password against the DB, so you might check to ensure that the values in preproduction are correct.
It does verify the screen name and password against the DB, so you might check to ensure that the values in preproduction are correct.
darren rose, modifié il y a 8 années.
RE: Autologin
Regular Member Publications: 215 Date d'inscription: 04/04/15 Publications récentesDavid H Nebinger:
There's nothing in there which indicates that it would be based on portal context.
It does verify the screen name and password against the DB, so you might check to ensure that the values in preproduction are correct.
If I implement the interface AutoLogin, is this invoked before my CustomAuthenticator?
auto.login.hooks=my.CustomAutoLogin
auth.pipeline.pre=my.CustomAuthenticator
login.events.post=my.CustomPostLoginWorkflow
darren rose, modifié il y a 8 années.
RE: Autologin
Regular Member Publications: 215 Date d'inscription: 04/04/15 Publications récentesDavid H Nebinger:
darren rose:If I implement this:
https://docs.liferay.com/portal/6.2/javadocs/com/liferay/portal/security/auth/AutoLogin.html
I have access to the entire request and response objects and can set the location right?
Yep.
So your custom portlet on the special page can check the parameters to ensure they are correct and then redirect back to the portal using a specially crafted URL which can be used by your auto login hook to authenticate and 'log in' the user.
HI,
I have now successfully implemented a hook that implements AutoLogin and logs the customer in successfully.
The remaining issue I have is, if I set the request attribute AutoLogin.AUTO_LOGIN_REDIRECT_AND_CONTINUE to a page that does not have Guest access, the user is directed back to the default page. Why is this?
regards
Patrick Wolf, modifié il y a 8 années.
RE: Autologin
Regular Member Publications: 127 Date d'inscription: 15/09/10 Publications récentes
Fortunately you are not considering security as an important point.
David H Nebinger, modifié il y a 8 années.
RE: Autologin
Liferay Legend Publications: 14919 Date d'inscription: 02/09/06 Publications récentes
Well, security through obscurity, I guess. Would allow you to have a portal of protected assets that would block joe public from getting in there, you wouldn't have to manage individual user accounts, ... Obscurity of the parameter values would be key.
Patrick Wolf, modifié il y a 8 années.
RE: Autologin
Regular Member Publications: 127 Date d'inscription: 15/09/10 Publications récentes
Yes.
I meant that these kinds of requirements of tweaking log-in default functionalities may involve serious security issues. But it depends on whether you have confidential assets or not. If you do not want to disclose information about members and content, you'd better not implement auto login and explain to the client who asked for it that it may not be a good idea.
I meant that these kinds of requirements of tweaking log-in default functionalities may involve serious security issues. But it depends on whether you have confidential assets or not. If you do not want to disclose information about members and content, you'd better not implement auto login and explain to the client who asked for it that it may not be a good idea.
David H Nebinger, modifié il y a 8 années.
RE: Autologin
Liferay Legend Publications: 14919 Date d'inscription: 02/09/06 Publications récentesdarren rose:
Is it possible to have a link, that a user can click, then logs then in without intervention and takes them to a specified page
e.g.
server.com/portal/path/to/protected/page?p1=xyz&p2=abc&p3=ghgh&pt5=md5ofotherswithsalt
the parameters are checked and provided valid the user is identified and logged in and take the the page
Sure. You could set up a simple JSP page that does a check to see if a parm is there and has a required value and only show the content in that case. Since it would be evaluated on the server, the parm/value do not get exposed in the web page.