Fórum

  1. Início
  2. Development
  3. Autologin

Autologin

thumbnail
darren rose, modificado 8 Anos atrás.

Autologin

Regular Member Postagens: 215 Data de Entrada: 04/04/15 Postagens Recentes
Hi,

I need to email users a link, which they may click to auto login

The link will need to contain the path to a specific portlet and some custom parameters used to perform authentication

Any help welcomed on implementing an auto login hook, and redirecting to a particular path.

I am using Liferay 6.2 CE bundled with Tomcat 7

regards
thumbnail
David H Nebinger, modificado 8 Anos atrás.

RE: Autologin

Liferay Legend Postagens: 14919 Data de Entrada: 02/09/06 Postagens Recentes
Gonna be tough. The Liferay code to authenticate is buried in portal-impl.jar so it's not exposed to a non-core portlet.

The email link and parameters is pretty easy in comparison.

I guess your best reference is probably the Liferay email verification (you create account, Liferay sends you email, it gets you into the "set password" page).
thumbnail
darren rose, modificado 8 Anos atrás.

RE: Autologin

Regular Member Postagens: 215 Data de Entrada: 04/04/15 Postagens Recentes
David H Nebinger:
Gonna be tough. The Liferay code to authenticate is buried in portal-impl.jar so it's not exposed to a non-core portlet.

The email link and parameters is pretty easy in comparison.

I guess your best reference is probably the Liferay email verification (you create account, Liferay sends you email, it gets you into the "set password" page).



What about a hook that implements auto login?
thumbnail
David H Nebinger, modificado 8 Anos atrás.

RE: Autologin

Liferay Legend Postagens: 14919 Data de Entrada: 02/09/06 Postagens Recentes
A hook is not a portlet on a page...
thumbnail
darren rose, modificado 8 Anos atrás.

RE: Autologin

Regular Member Postagens: 215 Data de Entrada: 04/04/15 Postagens Recentes
and?
thumbnail
darren rose, modificado 8 Anos atrás.

RE: Autologin

Regular Member Postagens: 215 Data de Entrada: 04/04/15 Postagens Recentes
darren rose:
and?



Hi,

Is it possible to have a link, that a user can click, then logs then in without intervention and takes them to a specified page

e.g.

server.com/portal/path/to/protected/page?p1=xyz&p2=abc&p3=ghgh&pt5=md5ofotherswithsalt

the parameters are checked and provided valid the user is identified and logged in and take the the page

regards
thumbnail
darren rose, modificado 8 Anos atrás.

RE: Autologin

Regular Member Postagens: 215 Data de Entrada: 04/04/15 Postagens Recentes
darren rose:
darren rose:
and?



Hi,

Is it possible to have a link, that a user can click, then logs then in without intervention and takes them to a specified page

e.g.

server.com/portal/path/to/protected/page?p1=xyz&p2=abc&p3=ghgh&pt5=md5ofotherswithsalt

the parameters are checked and provided valid the user is identified and logged in and take the the page

regards


If I implement this:

https://docs.liferay.com/portal/6.2/javadocs/com/liferay/portal/security/auth/AutoLogin.html

I have access to the entire request and response objects and can set the location right?

regards
thumbnail
David H Nebinger, modificado 8 Anos atrás.

RE: Autologin

Liferay Legend Postagens: 14919 Data de Entrada: 02/09/06 Postagens Recentes
darren rose:
If I implement this:

https://docs.liferay.com/portal/6.2/javadocs/com/liferay/portal/security/auth/AutoLogin.html

I have access to the entire request and response objects and can set the location right?


Yep.

So your custom portlet on the special page can check the parameters to ensure they are correct and then redirect back to the portal using a specially crafted URL which can be used by your auto login hook to authenticate and 'log in' the user.
thumbnail
darren rose, modificado 8 Anos atrás.

RE: Autologin

Regular Member Postagens: 215 Data de Entrada: 04/04/15 Postagens Recentes
I have successfully perform the following auto login by:

adding the following to portal-ext.properties
auto.login.hooks=com.liferay.portal.security.auth.ParameterAutoLogin

on a development server with Liferay running as root context this works:

http://dev1:8080/web/guest/test-auto-login1?parameterAutoLoginLogin=123456&parameterAutoLoginPassword=test123

but on our pre prod servers with Liferay running as /portal, the below does not work

http://preprod:8080/portal/web/guest/test-auto-login1?parameterAutoLoginLogin=123456&parameterAutoLoginPassword=test123

Liferay 6.2 CE is used in both cases, is there something related to the context that affects how ParameterAutoLogin works?

regards
thumbnail
darren rose, modificado 8 Anos atrás.

RE: Autologin

Regular Member Postagens: 215 Data de Entrada: 04/04/15 Postagens Recentes
we are using:

company.security.auth.type=screenName
thumbnail
David H Nebinger, modificado 8 Anos atrás.

RE: Autologin

Liferay Legend Postagens: 14919 Data de Entrada: 02/09/06 Postagens Recentes
There's nothing in there which indicates that it would be based on portal context.

It does verify the screen name and password against the DB, so you might check to ensure that the values in preproduction are correct.
thumbnail
darren rose, modificado 8 Anos atrás.

RE: Autologin

Regular Member Postagens: 215 Data de Entrada: 04/04/15 Postagens Recentes
David H Nebinger:
There's nothing in there which indicates that it would be based on portal context.

It does verify the screen name and password against the DB, so you might check to ensure that the values in preproduction are correct.


If I implement the interface AutoLogin, is this invoked before my CustomAuthenticator?

auto.login.hooks=my.CustomAutoLogin

auth.pipeline.pre=my.CustomAuthenticator

login.events.post=my.CustomPostLoginWorkflow
thumbnail
darren rose, modificado 8 Anos atrás.

RE: Autologin

Regular Member Postagens: 215 Data de Entrada: 04/04/15 Postagens Recentes
David H Nebinger:
darren rose:
If I implement this:

https://docs.liferay.com/portal/6.2/javadocs/com/liferay/portal/security/auth/AutoLogin.html

I have access to the entire request and response objects and can set the location right?


Yep.

So your custom portlet on the special page can check the parameters to ensure they are correct and then redirect back to the portal using a specially crafted URL which can be used by your auto login hook to authenticate and 'log in' the user.


HI,

I have now successfully implemented a hook that implements AutoLogin and logs the customer in successfully.

The remaining issue I have is, if I set the request attribute AutoLogin.AUTO_LOGIN_REDIRECT_AND_CONTINUE to a page that does not have Guest access, the user is directed back to the default page. Why is this?

regards
thumbnail
Patrick Wolf, modificado 8 Anos atrás.

RE: Autologin

Regular Member Postagens: 127 Data de Entrada: 15/09/10 Postagens Recentes
Fortunately you are not considering security as an important point.
thumbnail
David H Nebinger, modificado 8 Anos atrás.

RE: Autologin

Liferay Legend Postagens: 14919 Data de Entrada: 02/09/06 Postagens Recentes
Well, security through obscurity, I guess. Would allow you to have a portal of protected assets that would block joe public from getting in there, you wouldn't have to manage individual user accounts, ... Obscurity of the parameter values would be key.
thumbnail
Patrick Wolf, modificado 8 Anos atrás.

RE: Autologin

Regular Member Postagens: 127 Data de Entrada: 15/09/10 Postagens Recentes
Yes.
I meant that these kinds of requirements of tweaking log-in default functionalities may involve serious security issues. But it depends on whether you have confidential assets or not. If you do not want to disclose information about members and content, you'd better not implement auto login and explain to the client who asked for it that it may not be a good idea.
thumbnail
David H Nebinger, modificado 8 Anos atrás.

RE: Autologin

Liferay Legend Postagens: 14919 Data de Entrada: 02/09/06 Postagens Recentes
darren rose:
Is it possible to have a link, that a user can click, then logs then in without intervention and takes them to a specified page

e.g.

server.com/portal/path/to/protected/page?p1=xyz&p2=abc&p3=ghgh&pt5=md5ofotherswithsalt

the parameters are checked and provided valid the user is identified and logged in and take the the page


Sure. You could set up a simple JSP page that does a check to see if a parm is there and has a required value and only show the content in that case. Since it would be evaluated on the server, the parm/value do not get exposed in the web page.