组合视图 统一视图 树状图
讨论主题 [ 上一个 | 下一个 ]
Stian Sigvartsen
Token based LR 6 webservice authentication
2011年12月7日 上午12:49
答复

Stian Sigvartsen

等级: Regular Member

帖子: 100

加入日期: 2010年8月27日

最近的帖子

I've implemented an architecture which has Liferay as the user authenticator and authoriser such that all permissions are given to users via Liferay roles etc.

Requests to some portlets run in separate web applications on the same Tomcat host. So the Servlet request dispatcher is used and the Tomcat "crossContext" feature is set to true for these web applications to enable this to work.

Now, the complexity...

When processing such requests, occasionally it is useful to call Liferay service builder webservices to retrieve information about assets for display within the portlet.
Because Liferay's webservices require authentication, I believe this means that the servlet must know both the user's username and password to authenticate with. So the easy approach seems to be to setup a special user in Liferay which is used for all requests from these servlets.

Unfortunately this isn't what I require. I would like the webservices to be called as if the user currently logged into Liferay (who triggered the portlet request) is making the call. And I want the calls to fail (i.e. RemoteException) if the user isn't currently logged in. For example their session could have timed out.

Is anyone aware of an approach to achieving this?

The most sensible approach I can think of at present would be for Liferay to propagate a token of some sort which could be given back to the Liferay webservices when invoked. The token would simply reference an active session on Liferay. Is this possible?

Any advice would be greatly appreciated.

-Stian
Stian Sigvartsen
RE: Token based LR 6 webservice authentication
2011年12月5日 下午3:23
答复

Stian Sigvartsen

等级: Regular Member

帖子: 100

加入日期: 2010年8月27日

最近的帖子

After some further thought I believe that if Liferay supported OAuth as a service provider for its webservices then this would be perfect for my requirements. Though I cannot find any documentation suggesting that this is available. Any thoughts?

I see OAuth is available in portal trunk for OpenSocial and due for release with Liferay 6.1. I don't believe this meets my requirements?
Olaf Kock
RE: Token based LR 6 webservice authentication
2012年5月14日 上午9:12
答复

Olaf Kock

LIFERAY STAFF

等级: Liferay Legend

帖子: 2098

加入日期: 2008年9月23日

最近的帖子

I may be missing something obvious, but you seem to access your services from a Liferay Plugin - why not use the services through Java and directly call the *ServiceUtil implementations directly? This way you don't need all this extra indirections and get the ServiceContext and stay in the context of the current user
Stian Sigvartsen
RE: Token based LR 6 webservice authentication
2012年5月21日 上午12:07
答复

Stian Sigvartsen

等级: Regular Member

帖子: 100

加入日期: 2010年8月27日

最近的帖子

I wasn't aware that there were non-local Util classes such as UserServiceUtil. These should meet my requirements for permission checking. Thanks!

I actually need to be able to make these services accessible outside of the Java context and preferably over webservices implemented using REST or SOAP. This should be now quite possible by implementing a layer of indirection. It will probably end up as a plug-in project, requiring no changes to the Liferay core, or simply as another web application deployed to the same container. I'll have a look at the feasibility of using the Spring security implementation of OAuth 2.0 (https://github.com/SpringSource/spring-security-oauth).

-Stian