Fóruns

Início » Liferay Portal » English » 6. Portal Framework

Visualização combinada Visão plana Exibição em árvore
Tópicos [ Anterior | Próximo ]
toggle
Stian Sigvartsen
Token based LR 6 webservice authentication
7 de Dezembro de 2011 00:49
Resposta

Stian Sigvartsen

Ranking: Junior Member

Mensagens: 98

Data de entrada: 27 de Agosto de 2010

Mensagens recentes

I've implemented an architecture which has Liferay as the user authenticator and authoriser such that all permissions are given to users via Liferay roles etc.

Requests to some portlets run in separate web applications on the same Tomcat host. So the Servlet request dispatcher is used and the Tomcat "crossContext" feature is set to true for these web applications to enable this to work.

Now, the complexity...

When processing such requests, occasionally it is useful to call Liferay service builder webservices to retrieve information about assets for display within the portlet.
Because Liferay's webservices require authentication, I believe this means that the servlet must know both the user's username and password to authenticate with. So the easy approach seems to be to setup a special user in Liferay which is used for all requests from these servlets.

Unfortunately this isn't what I require. I would like the webservices to be called as if the user currently logged into Liferay (who triggered the portlet request) is making the call. And I want the calls to fail (i.e. RemoteException) if the user isn't currently logged in. For example their session could have timed out.

Is anyone aware of an approach to achieving this?

The most sensible approach I can think of at present would be for Liferay to propagate a token of some sort which could be given back to the Liferay webservices when invoked. The token would simply reference an active session on Liferay. Is this possible?

Any advice would be greatly appreciated.

-Stian
Stian Sigvartsen
RE: Token based LR 6 webservice authentication
5 de Dezembro de 2011 15:23
Resposta

Stian Sigvartsen

Ranking: Junior Member

Mensagens: 98

Data de entrada: 27 de Agosto de 2010

Mensagens recentes

After some further thought I believe that if Liferay supported OAuth as a service provider for its webservices then this would be perfect for my requirements. Though I cannot find any documentation suggesting that this is available. Any thoughts?

I see OAuth is available in portal trunk for OpenSocial and due for release with Liferay 6.1. I don't believe this meets my requirements?
Olaf Kock
RE: Token based LR 6 webservice authentication
14 de Maio de 2012 09:12
Resposta

Olaf Kock

LIFERAY STAFF

Ranking: Liferay Legend

Mensagens: 1838

Data de entrada: 23 de Setembro de 2008

Mensagens recentes

I may be missing something obvious, but you seem to access your services from a Liferay Plugin - why not use the services through Java and directly call the *ServiceUtil implementations directly? This way you don't need all this extra indirections and get the ServiceContext and stay in the context of the current user
Stian Sigvartsen
RE: Token based LR 6 webservice authentication
21 de Maio de 2012 00:07
Resposta

Stian Sigvartsen

Ranking: Junior Member

Mensagens: 98

Data de entrada: 27 de Agosto de 2010

Mensagens recentes

I wasn't aware that there were non-local Util classes such as UserServiceUtil. These should meet my requirements for permission checking. Thanks!

I actually need to be able to make these services accessible outside of the Java context and preferably over webservices implemented using REST or SOAP. This should be now quite possible by implementing a layer of indirection. It will probably end up as a plug-in project, requiring no changes to the Liferay core, or simply as another web application deployed to the same container. I'll have a look at the feasibility of using the Spring security implementation of OAuth 2.0 (https://github.com/SpringSource/spring-security-oauth).

-Stian