留言板

  1. 主页
  2. Portal
  3. Authentication for private RSS feeds

Authentication for private RSS feeds

thumbnail
Ray Augé,修改在14 年前。

Authentication for private RSS feeds

Liferay Legend 帖子: 1197 加入日期: 05-2-8 最近的帖子
Hey All,

I'm working on a simple pattern for forcing basic authentication for private RSS feeds (with optional required HTTPS).

The only issue codewise is that in order to have a servlet filter recognize that the feed is private we need to make a new mapping for the RSS actions, something like 
/blogs/secure/rss
.

This would allow the forcing of proper authentication by a servlet filter.

The whole point is to allow private RSS feeds to be consumed by external clients, and in 99% of cases, they support basic authentication and SSL. The problem is that external clients can't use FORM authentication of the portal to reach the private pages, making existing private RSS feeds all but useless.

Does anyone see other issues I haven't thought of?
thumbnail
Ray Augé,修改在14 年前。

RE: Authentication for private RSS feeds

Liferay Legend 帖子: 1197 加入日期: 05-2-8 最近的帖子
Here is the servlet filter config I'm testing:

	<filter>
		<filter-name>Secure RSS Filter</filter-name>
		<filter-class>com.liferay.portal.servlet.filters.secure.SecureFilter</filter-class>
		<init-param>
			<param-name>basic_auth</param-name>
			<param-value>true</param-value>
		</init-param>
		<init-param>
			<param-name>portal_property_prefix</param-name>
			<param-value>secure.rss.</param-value>
		</init-param>
		<init-param>
			<param-name>url-regex-pattern</param-name>
			<param-value>.+/rss</param-value>
		</init-param>
	</filter>
	<filter-mapping>
		<filter-name>Secure RSS Filter</filter-name>
		<url-pattern>/c/blogs/rss</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Secure RSS Filter</filter-name>
		<url-pattern>/c/journal/rss</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Secure RSS Filter</filter-name>
		<url-pattern>/c/message_boards/rss</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Secure RSS Filter</filter-name>
		<url-pattern>/c/tags/rss</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Secure RSS Filter</filter-name>
		<url-pattern>/c/wiki/rss</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Secure RSS Filter</filter-name>
		<url-pattern>/group/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Secure RSS Filter</filter-name>
		<url-pattern>/user/*</url-pattern>
	</filter-mapping>


Note that [tt]/group, /user[/tt] already imply private mappings, so there is nothing to change for purely "portlet" driven feeds.

Additonal Note: I added 
		<init-param>
			<param-name>url-regex-pattern</param-name>
			<param-value>.+/rss</param-value>
		</init-param>

so that in the case of the portlet driven feeds, as long as you have its RSS behavior mapped to */rss in the FriendlyURLMapper it'll inherit authentication by this filter config.

Ideally the patterns for [tt]/c/blogs/rss, /c/journal/rss, /c/message_boards/rss, /c/tags/rss, /c/wiki/rss[/tt] should be distinct as being "private" feeds.

I was thinking [tt]/c/blogs/secure/rss, /c/journal/secure/rss, /c/message_boards/secure/rss, /c/tags/rss, /c/wiki/secure/rss[/tt] or something like that.

The reason why this is need is so that "public" feeds continue to work without authentication being forced.

The additional mappings would simply be copies of their non-private mappings:

		<action path="/blogs/secure/rss" type="com.liferay.portlet.blogs.action.RSSAction" />
		<action path="/journal/secure/rss" type="com.liferay.portlet.journal.action.RSSAction" />
		<action path="/message_boards/secure/rss" type="com.liferay.portlet.messageboards.action.RSSAction" />
		<action path="/tags/secure/rss" type="com.liferay.portlet.tags.action.RSSAction" />
		<action path="/wiki/secure/rss" type="com.liferay.portlet.wiki.action.RSSAction" />


PS: Make sure to change the filter mappings above to match these mappings now.

This of course would mean small code changes wherever those urls are embedded in the site, such that when the page is a private page the "secure" mapping is output rather than the current default mapping.

I think that about covers it.
thumbnail
Ryan Park,修改在14 年前。

RE: Authentication for private RSS feeds

Regular Member 帖子: 120 加入日期: 07-8-28 最近的帖子
Thanks Ray, this is awesome!

We ran into this problem in Social Office and we have since disabled support for RSS. However in Social Office a lot of pages tend to be public and simply have the guest view permission removed. Would these feeds also be accommodated to work under your system?

Thanks!
thumbnail
Ray Augé,修改在14 年前。

RE: Authentication for private RSS feeds

Liferay Legend 帖子: 1197 加入日期: 05-2-8 最近的帖子
In that case, you'd simply also include mappings that are normally "public":

[b]<!-- Add public mappings so they force authentication (i.e. SO) -->
	<filter-mapping>
		<filter-name>Secure RSS Filter</filter-name>
		<url-pattern>/c/blogs/rss</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Secure RSS Filter</filter-name>
		<url-pattern>/c/journal/rss</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Secure RSS Filter</filter-name>
		<url-pattern>/c/message_boards/rss</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Secure RSS Filter</filter-name>
		<url-pattern>/c/tags/rss</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Secure RSS Filter</filter-name>
		<url-pattern>/c/wiki/rss</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Secure RSS Filter</filter-name>
		<url-pattern>/web/*</url-pattern>
	</filter-mapping>[/b]

        <!-- Private mappings that should always be authenticated -->
	<filter-mapping>
		<filter-name>Secure RSS Filter</filter-name>
		<url-pattern>/c/blogs/secure/rss</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Secure RSS Filter</filter-name>
		<url-pattern>/c/journal/secure/rss</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Secure RSS Filter</filter-name>
		<url-pattern>/c/message_boards/secure/rss</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Secure RSS Filter</filter-name>
		<url-pattern>/c/tags/secure/rss</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Secure RSS Filter</filter-name>
		<url-pattern>/c/wiki/secure/rss</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Secure RSS Filter</filter-name>
		<url-pattern>/group/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Secure RSS Filter</filter-name>
		<url-pattern>/user/*</url-pattern>
	</filter-mapping>


Nothing else should be required.
thumbnail
Jorge Ferrer,修改在14 年前。

RE: Authentication for private RSS feeds

Liferay Legend 帖子: 2871 加入日期: 06-8-31 最近的帖子
Looks good to me.

This is a feature I've been wanting to have for a long time, thanks a lot Ray!
thumbnail
Ray Augé,修改在14 年前。

RE: Authentication for private RSS feeds

Liferay Legend 帖子: 1197 加入日期: 05-2-8 最近的帖子
You and me both! emoticon
thumbnail
Matthew Ropp,修改在14 年前。

RE: Authentication for private RSS feeds

Junior Member 帖子: 75 加入日期: 09-8-5 最近的帖子
Ray-

Will this be making an appearance in an upcoming release? I assume this would allow me to use Liferay's built-in RSS portlet to read RSS feeds for message boards, etc that are on private pages?

Thanks-

Matthew
thumbnail
Ray Augé,修改在14 年前。

RE: Authentication for private RSS feeds

Liferay Legend 帖子: 1197 加入日期: 05-2-8 最近的帖子
Good question!

I'll have to test that scenario. Currently the RSS Portlet is not that sophisticated. I'll have to confirm that either way.

Really what we're targeting are desktop clients. But it surely isn't our intention to block any kind of specific use cases.


Note: Even google reader doesn't support authenticated feeds based on my last check... if it does please tell me how!!! Although if our own RSS Portlet supported authenticated feeds, I might use it instead, and load it as a desktop widget!!! OHHH now I'm really intrigued.
thumbnail
Matthew Ropp,修改在14 年前。

RE: Authentication for private RSS feeds

Junior Member 帖子: 75 加入日期: 09-8-5 最近的帖子
Thanks Ray.

We'd really love to be able to have users add an RSS feed on their private page that shows the entries for a message board that is on a (private) org page.

Matthew
thumbnail
Ray Augé,修改在14 年前。

RE: Authentication for private RSS feeds

Liferay Legend 帖子: 1197 加入日期: 05-2-8 最近的帖子
Sounds like a good plan!

The solution just requires testing really.. so when I have some time, I'll give it more thorough test and then hopefully commit it.
thumbnail
Lari Tuominen,修改在14 年前。

RE: Authentication for private RSS feeds

Expert 帖子: 283 加入日期: 07-11-7 最近的帖子
Hi Ray,

Any news on this one? Looking for the same feature as Matthew above.

- Lari
Jeremy Wier,修改在13 年前。

RE: Authentication for private RSS feeds

New Member 帖子: 9 加入日期: 09-10-15 最近的帖子
The issue we are having is with RSS on the Activities portlet. I know there are existing issues being worked with regards to subscribing, but this is related to public vs private activities. I have placed an Activities portlet on the public home page of a community and activities for adding documents to the doc lib, forum posts, etc show up there even though these features are on private pages. I can then right click the subscribe link and copy the URL into my Outlook RSS Feed reader and am subscribed. However, nothing appears in the reader since all the activities come from private pages.

Not sure if the solution above would fix this or if anyone knows of any other way around this besides, obviously, moving the doc lib and forums to public pages, but that is not an option with some of our communities.

Thanks!