We migrated our application to an OSGi based application. We are now running on Felix 4.2.1.
Previously we managed our security using the standard Java Security Model using a policy file. This comes down to providing security manager settings as start up parameters to our Java start up process:
-Djava.security.policy==.policy -Djava.security.manager
Previously, before the migration to OSGi, these exact same security settings were picked up by our application.
Now these security settings don't seem to be applied any more and basically we lost all our Java Security settings.
I have searched here, the internet, consulted some books and all suggest solutions similar to as described here, basically granting all permissions to OSGi and enable OSGi security.
However I could not find any confirmation this is absolutely needed to have Security enabled. For now I would like to avoid changing our security configuration too much for OSGi and reuse what we have.
So, is there a way to reuse an existing Java Security policy file in an OSGi environment? Or am I missing something trivial here?
For Felix you'll need to also add the felix security bundle.
A description of it can be found here.
With that enabled you should be safe on re-using your security policies.
We have never found any 'official' confirmation whether this was needed so in the end we decided to bite the bullet and implement OSGi security.
Related
I am trying to follow http://liferaysatish.blogspot.de/2011/11/permissionchecker.html (which is basically a repost of another blog post).
I need to implement my own PermissionChecker to be able to support an SSO server (check if the user has been authenticated). However, there article mentions com.liferay.portal.security.permission.PermissionCheckerImpl, but there is no such class in whatever jars I was looking for it.
What I am trying to achive is to tie liferay's internal security to an external SSO Server (wso2). If there is another way to achieve this, I would love to try it.
I was trying with AdvancedPermissionChecker and SimplePermissionChecker, but I become endless redirects using them.
regards and thanks
Leon
I need to implement my own PermissionChecker
I don't believe so. At least you can make your life easier if you integrate your SSO just like any of the already integrated 6 (or so) SSO systems, authenticating the current user to Liferay and then leaving the actual permission check to Liferay.
SSO is typically used for making sure the user is who they are, then redirecting to the application they're providing their services to. If you want to maintain permissions externally to Liferay, you're best of to use an LDAP and group your users there. On the Liferay side, map those LDAP users/groups to Lifeary-usergroup-memberships. Provide the required permissions/memberships for those usergroups and you're set. Implementing your own permission checking (which will also be used internal to Liferay) is one of the least maintainable ideas that I've ever heard of.
I believe the latest Liferay does not have this file anymore. You should search for it in the 5.0 version. And the JAR itself is in \ROOT\WEB-INF\lib\portal-impl.jar
http://docs.liferay.com/portal/5.0/javadocs/portal-impl/com/liferay/portal/security/permission/PermissionCheckerImpl.java.html
I am working on a web app which uses JSF. I would like to know that What are best practices and available tools for performing a load test on it.
Application is hosted on glassfish server 3.1.2.2
Depends somewhat on the site you want to test. At work we have a complex RIA, and to test it we have to reproduce user interaction. We use jMeter for this.
It's kind of messy to set up (look at the guides they have) but once this is done it's very flexible and allows you to configure and tweak many things. I particularly like its "proxy" feature where you can proxy your app through jMeter and it records everything so you can play it back later on. Note that for JSF you have to do some tricks with the ViewStateId, so google a "jmeter JSF" guide for how to set this up.
In a previous project I have used RadView WebLOAD to test a JSF site, it enable recording the user scenario and handles correlating the dynamic values.
I need to support authentication and authorization from different systems.
Im using Jboss AS 7. Regarding authorization I have very detailed permission rules for the current system. As I realized I have to write my own PolicyConfiguration in order to do that.
Where can I find an example for a custom JACC provider implementation?
Although it's too late ,but for reference.
I highly recommend: http://arjan-tijms.blogspot.com/2014/03/implementing-container-authorization-in.html
But note, I haven't tried it yet (will do soon)
I think that this is an usual question, but I'm reasking it cause I didn't got a real good question.
So, I have Liferay 6.1 CE running on Tomcat 7, and I want to import the users from an LDAP server and then make an SSO with CAS.
In my Portal, I have other application integrated (here also I have a problem with the integration of Alfresco) who need to be logged in also with the credantials from LDAP, this is why I need an SSO solution, like CAS.
How can I face this issue ? is there anyone who could help me fixing all this ?
Any information can help me, I have to accomplish all this in two weeks...I hope that everything that I'm asking are feasible.
Thanks & Regards
Liferay provide all necessary infrastructure to resolve your requirement. Look for CAS and LDAP at portal.properties https://github.com/liferay/liferay-portal/blob/master/portal-impl/src/portal.properties and configure this in your portal-ext.properties Liferay: How to configure Liferay Portal
You have two tasks here, importing users from LDAP and authenticating users with CAS. You can configure both from the Control Panel (UI) or the portal-ext.properties file. If you configure using both methods and there's a property conflict, the Control Panel settings take precedence.
Importing users from LDAP isn't difficult (I've done it in both 5.2.3 and 6.1), although importing/not importing the password can be confusing. Try tackling this task first and make sure you're able to authenticate against LDAP. I'd recommend using an authentication chain (multiple means of authentication where if one method fails, a second method will be attempted, and so on). It would be useful to configure it this way in the event of an outage with CAS so you don't have a single point of failure. Note: If you use portal-ext.properties, be sure to read this post and add properties mentioned (even if you aren't going to use them):
ldap.user.custom.mappings.1=
ldap.contact.mappings.1=
ldap.contact.custom.mappings.1=
Regarding authentication against CAS, I've been using it for a couple years on Liferay 5.2.3, and in my experience it's worked very reliably.
When I create an Azure ASP.NET application, by default .NET trust level is Full trust. I always change it to Windows Azure partial trust which is similar to ASP.NET's medium trust level.
You can do it either by using GUI when you select Properties on the Role or by setting enableNativeCodeExecution to false in the definition file (.csdef) just like below:
<WebRole name="ServiceRuntimeWebsite" enableNativeCodeExecution="false">
As a security conscious developer I want by default to run my application in partial trust mode that provides a higher level of security. If I need to use something like Reflection or P/Invoke, as a developer I want to make the decision to lower that trust level by myself.
I'm sure there's a reason why Microsoft decided to use Full trust as a default .NET trust level, I just fail to see it. If you know the reason, or you think you know it, please let me know.
Full trust is not only required for P/Invoke for .NET reflection as well. As a bottom line result, nearly all moderately sized apps need full trust because nearly all widespread libraries need it too (NHibernate for example). Actually, I have been asking from the exact opposite question on the Azure forums too.
The issue of full or partial trust pertains to the environment in which your application runs. The more control and/or "ownership" of the environment and assemblies you have, the more acceptable it is to have full-trust settings.
For example, if you create an Azure web site (July 2012 capability) and, mimicking wordpress or Umbraco, your web site allows arbitrary assembly plugins to be downloaded and installed, then it is important to have a partially-trusted environment. It is possible that one of the plugins downloaded and executed, which you don't control or own, contains malware. Not only does this impact the security and stability of your web site, but some may argue it impacts other (multi-tenant) hosted web-sites which have no relation to yours.
Certainly your web site will rely on 3rd party libraries, such as Log4Net or StructureMap, but those are extremely well-known and vetted libraries that are not in question regarding their security impact. Ergo, if you are running an Azure web-role (a much less "multi-tenant" type affair) and you are merely running such "trusted" 3rd party apps, then there really is not an issue with running as full-trust.
Yes, unfortunately it is still very hard (if not impossible) to write large .NET apps that run in partial trust.
We need much better technology and tools (like CAS.NET)
Because Medium Trust is now officially obsolete. If you start a new web project in Visual Studio, it already requires Full Trust (and doesn't work partial trust). Microsoft says: Do not depend on Medium Trust, instead, use Full Trust, and isolate untrusted applications in separate application pools.
Sources:
Stackoverflow answer: Quoted response ASP.NET team
Microsoft: ASP.NET Partial Trust does not guarantee application isolation
Microsoft: ASP.NET web development best practices