Implement JACC provider - security

I need to support authentication and authorization from different systems.
Im using Jboss AS 7. Regarding authorization I have very detailed permission rules for the current system. As I realized I have to write my own PolicyConfiguration in order to do that.
Where can I find an example for a custom JACC provider implementation?

Although it's too late ,but for reference.
I highly recommend: http://arjan-tijms.blogspot.com/2014/03/implementing-container-authorization-in.html
But note, I haven't tried it yet (will do soon)

Related

What jar contains com.liferay.portal.security.permission.PermissionCheckerImpl in Liferay 6.1.2?

I am trying to follow http://liferaysatish.blogspot.de/2011/11/permissionchecker.html (which is basically a repost of another blog post).
I need to implement my own PermissionChecker to be able to support an SSO server (check if the user has been authenticated). However, there article mentions com.liferay.portal.security.permission.PermissionCheckerImpl, but there is no such class in whatever jars I was looking for it.
What I am trying to achive is to tie liferay's internal security to an external SSO Server (wso2). If there is another way to achieve this, I would love to try it.
I was trying with AdvancedPermissionChecker and SimplePermissionChecker, but I become endless redirects using them.
regards and thanks
Leon
I need to implement my own PermissionChecker
I don't believe so. At least you can make your life easier if you integrate your SSO just like any of the already integrated 6 (or so) SSO systems, authenticating the current user to Liferay and then leaving the actual permission check to Liferay.
SSO is typically used for making sure the user is who they are, then redirecting to the application they're providing their services to. If you want to maintain permissions externally to Liferay, you're best of to use an LDAP and group your users there. On the Liferay side, map those LDAP users/groups to Lifeary-usergroup-memberships. Provide the required permissions/memberships for those usergroups and you're set. Implementing your own permission checking (which will also be used internal to Liferay) is one of the least maintainable ideas that I've ever heard of.
I believe the latest Liferay does not have this file anymore. You should search for it in the 5.0 version. And the JAR itself is in \ROOT\WEB-INF\lib\portal-impl.jar
http://docs.liferay.com/portal/5.0/javadocs/portal-impl/com/liferay/portal/security/permission/PermissionCheckerImpl.java.html

Reuse of Java Security settings (policy file) in OSGi

We migrated our application to an OSGi based application. We are now running on Felix 4.2.1.
Previously we managed our security using the standard Java Security Model using a policy file. This comes down to providing security manager settings as start up parameters to our Java start up process:
-Djava.security.policy==.policy -Djava.security.manager
Previously, before the migration to OSGi, these exact same security settings were picked up by our application.
Now these security settings don't seem to be applied any more and basically we lost all our Java Security settings.
I have searched here, the internet, consulted some books and all suggest solutions similar to as described here, basically granting all permissions to OSGi and enable OSGi security.
However I could not find any confirmation this is absolutely needed to have Security enabled. For now I would like to avoid changing our security configuration too much for OSGi and reuse what we have.
So, is there a way to reuse an existing Java Security policy file in an OSGi environment? Or am I missing something trivial here?
For Felix you'll need to also add the felix security bundle.
A description of it can be found here.
With that enabled you should be safe on re-using your security policies.
We have never found any 'official' confirmation whether this was needed so in the end we decided to bite the bullet and implement OSGi security.

CASifying Liferay

I think that this is an usual question, but I'm reasking it cause I didn't got a real good question.
So, I have Liferay 6.1 CE running on Tomcat 7, and I want to import the users from an LDAP server and then make an SSO with CAS.
In my Portal, I have other application integrated (here also I have a problem with the integration of Alfresco) who need to be logged in also with the credantials from LDAP, this is why I need an SSO solution, like CAS.
How can I face this issue ? is there anyone who could help me fixing all this ?
Any information can help me, I have to accomplish all this in two weeks...I hope that everything that I'm asking are feasible.
Thanks & Regards
Liferay provide all necessary infrastructure to resolve your requirement. Look for CAS and LDAP at portal.properties https://github.com/liferay/liferay-portal/blob/master/portal-impl/src/portal.properties and configure this in your portal-ext.properties Liferay: How to configure Liferay Portal
You have two tasks here, importing users from LDAP and authenticating users with CAS. You can configure both from the Control Panel (UI) or the portal-ext.properties file. If you configure using both methods and there's a property conflict, the Control Panel settings take precedence.
Importing users from LDAP isn't difficult (I've done it in both 5.2.3 and 6.1), although importing/not importing the password can be confusing. Try tackling this task first and make sure you're able to authenticate against LDAP. I'd recommend using an authentication chain (multiple means of authentication where if one method fails, a second method will be attempted, and so on). It would be useful to configure it this way in the event of an outage with CAS so you don't have a single point of failure. Note: If you use portal-ext.properties, be sure to read this post and add properties mentioned (even if you aren't going to use them):
ldap.user.custom.mappings.1=
ldap.contact.mappings.1=
ldap.contact.custom.mappings.1=
Regarding authentication against CAS, I've been using it for a couple years on Liferay 5.2.3, and in my experience it's worked very reliably.

Symfony 2 : Custom user provider

Since this article http://symfony.com/doc/2.0/cookbook/security/custom_provider.html has not been written yet, has anyone an idea of how to do that ? (In my case it would be using LDAP authentication).
Thanks for your answers
To help you get started you can check out my blog post which outlines how to create a very basic user provider system:
http://clintberry.com/2011/custom-user-providers-symfony2/
EDIT: This post only covers the custom User Provider. To use LDAP authentication you will need to create your own Authentication Provider as well or use a third party library. http://symfony.com/doc/current/cookbook/security/custom_authentication_provider.html
This first thing I would suggest you is to do a search for a LDAP bundle on the great website KnpBundles (results here). I saw two results. If you are willing to use an external bundle, you could just use of the two given in the results.
If you prefer to create your own bundle for this task, what I would suggest is to inspire you from these two bundles. Another useful suggestion is to check the FOSFacebookBundle. It is in no mean related to LDAP but, they implements their own provider, so all the glue is there to implement your own.
Just a small notice, if you are developing against Symfony2 master branch, it is good to know that security factory registration has changed a bit. So, be carefull when looking at other bundles to be sure what version they are targeting.
Hope this helps.
Regards,
Matt

Security Plugin from Grails?

I try find some simple security plugin from Grails.
And first of all, i want ask you: what plugin you can recommend?
I not need super powerful plugin. Its must be simply and for small application.
Thanks.
I recommend Spring Security. It is easy to configure, and very flexible. It can handle everything from simple login, to annotated access controls on methods, to various complicated login schemes.
It does have a fairly complicated API, but there is plenty of documentation, and you can be sure others are using it.
If you just want simple login, it is really easy to set up.
More info here.
Per #robbbert suggestion, here is an alternative -- the Shiro plugin. I cannot speak to its reliability/community/expandibility.
We use Apache Shiro which is very simple to use and set up. It works by convention and supports both authentication and authorization.

Resources