WebServices DIGEST security Liferay 6.2 EE

留言板

Illia Izotov，修改在9 年前。

WebServices DIGEST security Liferay 6.2 EE

New Member 帖子: 16 加入日期: 12-9-10 最近的帖子

Hello,

I was looking for a way to activate DIGEST security for WS as default one (Basic) is not secure enought for production environment.

I tried the following in my web.xml but it doesn't work :

    <filter>
        <filter-name>Secure JSON Web Service Servlet Filter</filter-name>
        <filter-class>com.liferay.portal.kernel.servlet.PortalClassLoaderFilter</filter-class>
        <init-param>
            <param-name>filter-class</param-name>
            <param-value>com.liferay.portal.servlet.filters.secure.SecureFilter</param-value>
        </init-param>
        <init-param>
            <param-name>basic_auth</param-name>
            <param-value>false</param-value>
        </init-param>
        <init-param>
            <param-name>digest_auth</param-name>
            <param-value>true</param-value>
        </init-param>
        <init-param>
            <param-name>portal_property_prefix</param-name>
            <param-value>jsonws.servlet.</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>Secure JSON Web Service Servlet Filter</filter-name>
        <url-pattern>/api/*</url-pattern>
    </filter-mapping>

Tomas Polesovsky，修改在9 年前。

RE: WebServices DIGEST security Liferay 6.2 EE

Liferay Master 帖子: 676 加入日期: 09-2-13 最近的帖子

Hi Illia,

I'm sorry from your report I don't know what doesn't work and why.

Can you please post more information?

What file do you update? I see the configuration is from 6.1 but you stated you use 6.2. Do you have any exceptions / log or how do you know it doesn't work?

Thanks.

Illia Izotov，修改在9 年前。

RE: WebServices DIGEST security Liferay 6.2 EE

New Member 帖子: 16 加入日期: 12-9-10 最近的帖子

Ok, I will try to describe a bit more.

I've created a WS's portlet and generated the services using liferay service-builder. In general, my config is local-service="false" and remote-service="true" in service.xml of my portlet.

I am trying to use another type of WS security system. I tried to modify the web.xml of portlet.

I do not have any kind of log or stacktrace, but when I'm calling WS I should use only Basic authentification (regardless of

        <init-param>
            <param-name>basic_auth</param-name>
            <param-value>false</param-value>
        </init-param>

in web.xml.

And yes, I'm using Liferay 6.2 EE.

Thank you !

Tomas Polesovsky，修改在9 年前。

RE: WebServices DIGEST security Liferay 6.2 EE

Liferay Master 帖子: 676 加入日期: 09-2-13 最近的帖子

This is web.xml of the plugin so it applies only to calls made to http://localhost:8080/my-plugin-portlet/api/jsonws/service/method. It disables HTTP Basic auth, enables HTTP Digest and force to use digest_auth only.

But it's important to know that the service is also available through portal JSONWS API ... http://localhost:8080/api/jsonws/my-plugin-portlet.service/method. If you need to disable Basic and use Digest only, you need to configure portal-wide API authentication. Please see portal.properties

<!--?xml version="1.0"?-->
<web-app version="2.4">
	<filter>
		<filter-name>JSON Web Service Servlet Filter</filter-name>
		<filter-class>com.liferay.portal.kernel.servlet.PortalClassLoaderFilter</filter-class>
		<init-param>
			<param-name>filter-class</param-name>
			<param-value>com.liferay.portal.servlet.filters.authverifier.AuthVerifierFilter</param-value>
		</init-param>
		<init-param>
			<param-name>digest_auth</param-name>
			<param-value>true</param-value>
		</init-param>
		<init-param>
			<param-name>portal_property_prefix</param-name>
			<param-value>jsonws.servlet</param-value>
		</init-param>
		<init-param>
			<param-name>auth.verifier.DigestAuthenticationAuthVerifier.urls.includes</param-name>
			<param-value>/api/jsonws/*</param-value>
		</init-param>
		<init-param>
			<param-name>auth.verifier.BasicAuthHeaderAutoLogin.urls.excludes</param-name>
			<param-value>/*</param-value>
		</init-param>
	</filter>

	<filter>
		<filter-name>Thread Local Filter</filter-name>
		<filter-class>com.liferay.portal.kernel.servlet.PortalClassLoaderFilter</filter-class>
		<init-param>
			<param-name>filter-class</param-name>
			<param-value>com.liferay.portal.servlet.filters.threadlocal.ThreadLocalFilter</param-value>
		</init-param>
	</filter>

	<filter-mapping>
		<filter-name>Thread Local Filter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>

	<filter-mapping>
		<filter-name>JSON Web Service Servlet Filter</filter-name>
		<url-pattern>/api/jsonws/*</url-pattern>
	</filter-mapping>

	 <servlet>
		<servlet-name>JSON Web Service Servlet</servlet-name>
		<servlet-class>com.liferay.portal.kernel.servlet.PortalClassLoaderServlet</servlet-class>
		<init-param>
			<param-name>servlet-class</param-name>
			<param-value>com.liferay.portal.jsonwebservice.JSONWebServiceServlet</param-value>
		</init-param>
		<load-on-startup>0</load-on-startup>
	</servlet>
	<servlet-mapping>
		<servlet-name>JSON Web Service Servlet</servlet-name>
		<url-pattern>/api/jsonws/*</url-pattern>
	</servlet-mapping>
</web-app>

HTH.

Illia Izotov，修改在9 年前。

RE: WebServices DIGEST security Liferay 6.2 EE

New Member 帖子: 16 加入日期: 12-9-10 最近的帖子

Thank you sir for your response.

I've modified my portal-ext.properties :

auth.verifier.pipeline=com.liferay.portal.security.auth.DigestAuthenticationAuthVerifier,com.liferay.portal.security.auth.ParameterAutoLogin,com.liferay.portal.security.auth.PortalSessionAuthVerifier,com.liferay.portal.security.auth.TunnelingServletAuthVerifier

#
# BasicAuthHeaderAutoLogin
#
auth.verifier.BasicAuthHeaderAutoLogin.hosts.allowed=
auth.verifier.BasicAuthHeaderAutoLogin.urls.includes=/api/*,/xmlrpc/*
auth.verifier.BasicAuthHeaderAutoLogin.urls.excludes=/api/liferay/do,/api/jsonws/*

#
# DigestAuthenticationAuthVerifier
#
auth.verifier.DigestAuthenticationAuthVerifier.hosts.allowed=
auth.verifier.DigestAuthenticationAuthVerifier.urls.includes=/api/jsonws/*

and also modified web.xml of my portlet according to what you've provided in the post before.

I entered into debugging mode and I saw that while setting the header "Autorization" to "Digest username=..........." the class DigestAuthenticationAuthVerifier gets called.

Now the problem is that to get nonce token I should actually get a response from server.
But this line of code always return false. If in debugging mode I force it to "true" I get in response a WWW-Authenticate: Digest realm="PortalRealm", nonce="84998e122b7b684f5bbaaecd15c861dc" which is completely perfect.

For me it seems to be a config problem as "digest_auth" is set via xml.

Tomas Polesovsky，修改在9 年前。

RE: WebServices DIGEST security Liferay 6.2 EE

Liferay Master 帖子: 676 加入日期: 09-2-13 最近的帖子

Try to set also

jsonws.servlet.digest_auth=true

in the portal-ext.properties. I didn't test it but I believe it should work emoticon

Illia Izotov，修改在9 年前。

RE: WebServices DIGEST security Liferay 6.2 EE

New Member 帖子: 16 加入日期: 12-9-10 最近的帖子

Tomas, thank you a lot ! Absolutely amazing, it works even without modification of web.xml !

But I have another problem.. But it is the last effort I suppose :-)

So, I was able to get "nonce" token. Now I am trying to compose the right header for Authorization. I tracked the source code of Liferay up to moment of calculation of HA1 and HA2 of portal.

Actually, HA1 is stored in the database as it is not changing during the time. Also, there are three versions of HA1 depending of login type (screenName, email or another field).

HA2 is just a md5 of ( method + ":" + URI ) according to specs of DIGEST.

As for HA2 I have no problems calculating it, but for HA1... I can't understand how to properly calculate it for users with encrypted passwords !

Imagine that screenName is "digital" and password is "6789" with realm="PortalRealm", we can easily get the MD5 hash of a string :

MD5("digital:PortalRealm:6789") = a3a0e0c8f8a728b50646ab9076b34396

If I evaulate in debug mode the value of "user.getDigest('6789')" it is perfectly ok ! But the 3 values of digest for this user that are already registered in DB are completely different. I suppose it is because the password is crypted.

How could I get the right HA1 in the case when the password of user is crypted ?

Thank you all.

Tomas Polesovsky，修改在9 年前。

RE: WebServices DIGEST security Liferay 6.2 EE

Liferay Master 帖子: 676 加入日期: 09-2-13 最近的帖子

Hi Illia,

I'm sorry I cannot reproduce it.

When I start portal and sign in as test@liferay.com I have in DB:
e5d86c6f3672e52795891c3597f20de0,751da756639bc033b572ba2e7849b589,78735b19a8bd0bf76ff52e7906e28a75

e5d86c6f3672e52795891c3597f20de0 ... MD5(test@liferay.com:PortalRealm:test)
751da756639bc033b572ba2e7849b589 ... MD5(test:PortalRealm:test)
78735b19a8bd0bf76ff52e7906e28a75 ... MD5(20196:PortalRealm:test)

How could I get the right HA1 in the case when the password of user is crypted ?

Portal constructs the digests from plain-text passwords, please see https://github.com/liferay/liferay-portal/blob/6.2.2-ga3/portal-impl/src/com/liferay/portal/service/impl/UserLocalServiceImpl.java#L5504-5506

The password would need to be encrypted before reaching portal, in this case portal doesn't know if it's encrypted or not and take it as the plain-text one.

I'm not sure it helps you thought. I'd recommend to try change password (which resets the digests) and then to debug UserLocalServiceImpl on the line above during first login after password change, to see what get's hashed into the digests.

HTH.

Illia Izotov，修改在9 年前。

RE: WebServices DIGEST security Liferay 6.2 EE

New Member 帖子: 16 加入日期: 12-9-10 最近的帖子

Thank you a lot !

My problem is resolved. The reason was soo obvious - the passwords were modified directly in DB for security reasons.