I've implemented an architecture which has Liferay as the user authenticator and authoriser such that all permissions are given to users via Liferay roles etc.

Requests to some portlets run in separate web applications on the same Tomcat host. So the Servlet request dispatcher is used and the Tomcat "crossContext" feature is set to true for these web applications to enable this to work.

Now, the complexity...

When processing such requests, occasionally it is useful to call Liferay service builder webservices to retrieve information about assets for display within the portlet.
Because Liferay's webservices require authentication, I believe this means that the servlet must know both the user's username and password to authenticate with. So the easy approach seems to be to setup a special user in Liferay which is used for all requests from these servlets.

Unfortunately this isn't what I require. I would like the webservices to be called as if the user currently logged into Liferay (who triggered the portlet request) is making the call. And I want the calls to fail (i.e. RemoteException) if the user isn't currently logged in. For example their session could have timed out.

Is anyone aware of an approach to achieving this?

The most sensible approach I can think of at present would be for Liferay to propagate a token of some sort which could be given back to the Liferay webservices when invoked. The token would simply reference an active session on Liferay. Is this possible?

Any advice would be greatly appreciated.

-Stian

After some further thought I believe that if Liferay supported OAuth as a service provider for its webservices then this would be perfect for my requirements. Though I cannot find any documentation suggesting that this is available. Any thoughts?

I see OAuth is available in portal trunk for OpenSocial and due for release with Liferay 6.1. I don't believe this meets my requirements?

I may be missing something obvious, but you seem to access your services from a Liferay Plugin - why not use the services through Java and directly call the *ServiceUtil implementations directly? This way you don't need all this extra indirections and get the ServiceContext and stay in the context of the current user

I wasn't aware that there were non-local Util classes such as UserServiceUtil. These should meet my requirements for permission checking. Thanks!

I actually need to be able to make these services accessible outside of the Java context and preferably over webservices implemented using REST or SOAP. This should be now quite possible by implementing a layer of indirection. It will probably end up as a plug-in project, requiring no changes to the Liferay core, or simply as another web application deployed to the same container. I'll have a look at the feasibility of using the Spring security implementation of OAuth 2.0 (https://github.com/SpringSource/spring-security-oauth).

-Stian