I think that this is an usual question, but I'm reasking it cause I didn't got a real good question.
So, I have Liferay 6.1 CE running on Tomcat 7, and I want to import the users from an LDAP server and then make an SSO with CAS.
In my Portal, I have other application integrated (here also I have a problem with the integration of Alfresco) who need to be logged in also with the credantials from LDAP, this is why I need an SSO solution, like CAS.
How can I face this issue ? is there anyone who could help me fixing all this ?
Any information can help me, I have to accomplish all this in two weeks...I hope that everything that I'm asking are feasible.
Thanks & Regards
Liferay provide all necessary infrastructure to resolve your requirement. Look for CAS and LDAP at portal.properties https://github.com/liferay/liferay-portal/blob/master/portal-impl/src/portal.properties and configure this in your portal-ext.properties Liferay: How to configure Liferay Portal
You have two tasks here, importing users from LDAP and authenticating users with CAS. You can configure both from the Control Panel (UI) or the portal-ext.properties file. If you configure using both methods and there's a property conflict, the Control Panel settings take precedence.
Importing users from LDAP isn't difficult (I've done it in both 5.2.3 and 6.1), although importing/not importing the password can be confusing. Try tackling this task first and make sure you're able to authenticate against LDAP. I'd recommend using an authentication chain (multiple means of authentication where if one method fails, a second method will be attempted, and so on). It would be useful to configure it this way in the event of an outage with CAS so you don't have a single point of failure. Note: If you use portal-ext.properties, be sure to read this post and add properties mentioned (even if you aren't going to use them):
ldap.user.custom.mappings.1=
ldap.contact.mappings.1=
ldap.contact.custom.mappings.1=
Regarding authentication against CAS, I've been using it for a couple years on Liferay 5.2.3, and in my experience it's worked very reliably.
Related
I would like to develop a new web-app in node.js (using express). I am relatively new to node.js world, so I assume there are frameworks that I am not familiar with.
Is there any framework (like Spring for Java) that manages authentication (and save the trouble from the developer)? Or each developer has to write this code over and over again?
Login/Logout is not all. There are other flows:
registration (create account),
forgot-password (and then set new password),
locking/unlocking an account,
change password
and I think I have covered all flows.
I know that each application has its own UI, forms, maybe with its logo, but the flow itself is similar for most applications.
In addition, I know that it is not that hard to implement, but it could be great to have some kind of tool / framework / infrastructure which implements the flows.
Is there such a tool/framework which helps applications' developers and implements these flows?
I've searched this issue but could not find anything.
Thanks!
Long ago I have developed authentication-flows for Java over Spring, and recently I wrote authentication-flows-js.
It is a module that answers most flows - authentication, registration, forgot-password, change password etc., and it is secured enough so applications can use it without the fear that it will be easily hacked.
It is for node.js applications (written in TypeScript) that use express. It is an open source (in GitHub). A release version is on npm, so you can use it as a dependency in your package.json.
In its README (and of course in the npm page) there are detailed explanations for everything and if something is missing - please let me know. An article will be published soon (I will add a link as a comment).
You can find here an example for a hosting application.
NOTE: I have heard comments like "It's not so difficult to implement". True.
But you have to make sure you take care of all cases. For example,
what happens if a user tries to create account that is already exists?
what happens if a user tries to create account that is already exists
but inactive? what about the policy of the password? (too long/too
short/how many capital etc.) what about sending the email with the
activation link to the user? how you create this link? should you
encrypt it? what about the controller that will receive the click on
the link and activate the account? and more...
I've been investigating some localization issues with our web application and even though I start to understand the problems and the way to solve them... I still have a couple of questions I failed to find a decent answer to.
It would be great of some people can point me out to appropriate documentation for me to read up and understand more the concept of ApplicationPoolIdentity.
What I understand so far:
There are 2 ways to make your web application Localization-aware based on your requirements.
1) Configure in the web.config file (Globalization) or in the IIS UI for the specific website.
This works great, except it does not pick up Globalization on IIS-level when website is Auto Detect or Invariant Culture? What's the hierarchy it's using?
2) Configure Localization for the user under which the IIS process is running.
You need to copy the Localization settings to the system accounts (as explained here)
You then need to run the apppool under one of these accounts (local, Networkservice, LocalService...)
It does not seem to work when running under ApplicationPoolIdentity
ApplicationPoolIdentity is a virtual user account, assuming that's why it's not picked up by the copy-to action in Localization.
Although, it's not working either when I say Copy-To-New-Accounts.
So what Localization is the ApplicationPoolIdentity using???
It seems the default one based on the Windows Installation, am I right here?
If anyone can correct me and answer my questions, or link to some more documentation around this. Really appreciated.
I am trying to follow http://liferaysatish.blogspot.de/2011/11/permissionchecker.html (which is basically a repost of another blog post).
I need to implement my own PermissionChecker to be able to support an SSO server (check if the user has been authenticated). However, there article mentions com.liferay.portal.security.permission.PermissionCheckerImpl, but there is no such class in whatever jars I was looking for it.
What I am trying to achive is to tie liferay's internal security to an external SSO Server (wso2). If there is another way to achieve this, I would love to try it.
I was trying with AdvancedPermissionChecker and SimplePermissionChecker, but I become endless redirects using them.
regards and thanks
Leon
I need to implement my own PermissionChecker
I don't believe so. At least you can make your life easier if you integrate your SSO just like any of the already integrated 6 (or so) SSO systems, authenticating the current user to Liferay and then leaving the actual permission check to Liferay.
SSO is typically used for making sure the user is who they are, then redirecting to the application they're providing their services to. If you want to maintain permissions externally to Liferay, you're best of to use an LDAP and group your users there. On the Liferay side, map those LDAP users/groups to Lifeary-usergroup-memberships. Provide the required permissions/memberships for those usergroups and you're set. Implementing your own permission checking (which will also be used internal to Liferay) is one of the least maintainable ideas that I've ever heard of.
I believe the latest Liferay does not have this file anymore. You should search for it in the 5.0 version. And the JAR itself is in \ROOT\WEB-INF\lib\portal-impl.jar
http://docs.liferay.com/portal/5.0/javadocs/portal-impl/com/liferay/portal/security/permission/PermissionCheckerImpl.java.html
We migrated our application to an OSGi based application. We are now running on Felix 4.2.1.
Previously we managed our security using the standard Java Security Model using a policy file. This comes down to providing security manager settings as start up parameters to our Java start up process:
-Djava.security.policy==.policy -Djava.security.manager
Previously, before the migration to OSGi, these exact same security settings were picked up by our application.
Now these security settings don't seem to be applied any more and basically we lost all our Java Security settings.
I have searched here, the internet, consulted some books and all suggest solutions similar to as described here, basically granting all permissions to OSGi and enable OSGi security.
However I could not find any confirmation this is absolutely needed to have Security enabled. For now I would like to avoid changing our security configuration too much for OSGi and reuse what we have.
So, is there a way to reuse an existing Java Security policy file in an OSGi environment? Or am I missing something trivial here?
For Felix you'll need to also add the felix security bundle.
A description of it can be found here.
With that enabled you should be safe on re-using your security policies.
We have never found any 'official' confirmation whether this was needed so in the end we decided to bite the bullet and implement OSGi security.
Since this article http://symfony.com/doc/2.0/cookbook/security/custom_provider.html has not been written yet, has anyone an idea of how to do that ? (In my case it would be using LDAP authentication).
Thanks for your answers
To help you get started you can check out my blog post which outlines how to create a very basic user provider system:
http://clintberry.com/2011/custom-user-providers-symfony2/
EDIT: This post only covers the custom User Provider. To use LDAP authentication you will need to create your own Authentication Provider as well or use a third party library. http://symfony.com/doc/current/cookbook/security/custom_authentication_provider.html
This first thing I would suggest you is to do a search for a LDAP bundle on the great website KnpBundles (results here). I saw two results. If you are willing to use an external bundle, you could just use of the two given in the results.
If you prefer to create your own bundle for this task, what I would suggest is to inspire you from these two bundles. Another useful suggestion is to check the FOSFacebookBundle. It is in no mean related to LDAP but, they implements their own provider, so all the glue is there to implement your own.
Just a small notice, if you are developing against Symfony2 master branch, it is good to know that security factory registration has changed a bit. So, be carefull when looking at other bundles to be sure what version they are targeting.
Hope this helps.
Regards,
Matt