How do I get users to authenticate by http-auth before they can access Liferay?
More specific: How do I use http-auth instead of Liferay's sign-in page or portlets. Access to Liferay should be completely blocked unless credentials have been presented by http-auth.
I can't speak directly to how Liferay works, however, in JBoss Portal you have to manually modify the Portal's web.xml to include the appropriate authentication mechanism and desired roles.
I would assume that Liferay would probably be the same course of action since they are both Java-based web applications at their cores.
I'm not near my (liferay) computer at the moment but you can configure Liferay by placing a portal-ext.properties in the bundle directory, and there are several authentication modules available simply by specifying an alternate class.
Related
I am looking for a simple way to create a "realm" within WAS 8.5. I am specifically looking for something similar to the APACHE realm system in which a user, upon first access to a site, is presented with a javaScript username / password dialog and, if authenticated, is allowed to use the site. In Tomcat, this is accomplished by modifying the tomcat-users.xml file, adding a username, passowrd and role. Any suggestions are appreciated.
In WebSphere it is already built in, you just need to configure repository from where you want to take users e.g internal file based, or LDAP.
Than you need to enable Application security via Global Security.
Check this page for more details Enabling security
I followed these steps to implement basic authentication. http://itcareergrowth.com/blog/2018/02/25/configuring-basic-authentication-in-web-sphere-application-server/#.WpQiSOdMGUk
I was trying to register an Application Login Module in Websphere but I don´t find any easy example in web.
There are a lot of IBM documents, but too much complex, and I can´t figure out how to register an Application Login Module.
I already have success with a System Login Module bounded to WEB_INBOUND, it works, but affects all my system. I want a Login Module to serve only my applications web, with JAAS authentication.
I´ve tried to bound a login module to existing WSLogin but it doesn´t seems to be working.
Any help ?
tks[]
You need to setup security domains to get the separation you are looking for wrt to the login configurations. The security framework uses the WEB_INBOUND login configuration to authenticate the user for all web applications irrespective of adminConsole or user applications. When you create a security domain and customize the WEB_INBOUND configuration at the server/cluster domain level, it will be used for all the user web applications deployed in those processes. You need to setup the multidomain in a cell topology and assign the domain to the server/cluster where you applications are deployed.
Once you setup the domains, the WEB_INBOUND configuration at the server/cluster domain will be used by the user applications hosted in that server/cluster while the WEB_INBOUND configuration at the admin/global domain will be used for the adminConsole application at the Deploymener Management process where it is deployed.
The application JAAS login configurations are meant to be used by the applications directly. One can create an application login configuration and programmatically use it in the application to perform direct login -
LoginContext lc = new LoginContext("myAppLoginCfg1", callBackHandler);
I asked around and this is the answer that comes from the owner of container security:
The WEB_INBOUND is a JAAS system login that is always configured by default. However, you can specify your own JAAS application login or customize the existing WEB_INBOUND system login. If you want only one application to use a different JAAS login from all your other applications, you can use a security domain that has those different security configurations. The only catch is that application server has to be in a separate server from the other apps. That way, you can map your security domain to that server.
Here's an info center article about security domains:
http://www-01.ibm.com/support/knowledgecenter/#!/SS7K4U_8.5.5/com.ibm.websphere.zseries.doc/ae/tsec_sec_domains_config.html?cp=SS7K4U_8.5.5%2F1-8-2-33-1
And one on application logins:
http://www-01.ibm.com/support/knowledgecenter/#!/SS7K4U_8.5.5/com.ibm.websphere.zseries.doc/ae/rsec_logmod.html?cp=SS7K4U_8.5.5
And system logins:
http://www-01.ibm.com/support/knowledgecenter/#!/SS7K4U_8.5.5/com.ibm.websphere.zseries.doc/ae/usec_sysjaas.html
And here is a much more practical answer that comes from the security dev lead:
So an additional question is - why would you want to do that? Do you want to do anything specific for just one app during login that you do not want for other app logins? (I would think so) You can get the app name in your custom login module and can use that to provide your own app based login requirement in your login module (or skip it) if needed.
Me: Ya, this is what I would do. You can also implement this based on what is in the request. I did one where it would request a SAML token from an STS and put it on the runas subject if I could tell that the request came from WebSeal (and not if it didn't).
If what you need to do for the 'app-specific' case requires skipping what is done in ltpaLoginModule and wsMapDefaultInboundLoginModule (that should run for the other apps), you can't really do that. However, you can modify their behavior.
Read through the task I've given a link to below. Yes, I understand it is a WS-Security task, but its about using APIs. You'll get what I'm talking about if you read closely, particularly the 3rd ("When a caller...") and 5th ("To use a..") paragraphs. The parts that you should be concerned about in the code is the WSCREDENTIAL* stuff.
http://www-01.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/twbs_config_wssec_caller_no_reg.html
We are setting up a portal based on Liferay at the same time we are moving our insitution's intranet onto Tridion CMS.
Tridion is using google mini as its search tool, while Liferay is using lucene.
What we want is a single search that indexes both systems.
The big issue for us is that Liferay is using CAS for authentication and we are not sure how to get google mini authenticated into liferay.
I have the same problem. I am going to create a service-api-admin account in liferay and add an additional authentication AutoLogin via the auto.login.hooks property (in portal-ext.properties). That authenticator will use the liferay database password value to verify the service-api-admin account without going through CAS so you will be able to supply authentication with your REST calls.
You can set LDAP for Liferay and Google mini can LDAP too.
Whether liferay can use the roles/permissions that is configured outside liferay? The reason behind is that the legacy application have its own mechanism for user and role configuration.
Can any one please help me on this?
Regards
Vishal G
Liferay does integrate with LDAP, should you configure it so, so that your LDAP directory holds the users and their roles etc. You can likely add some other code to interface with another user database, but I'd start with the LDAP environment, as you don't say what kind of technology you're talking about.
If it's homegrown, I'd consider either exporting to LDAP or taking the LDAP interface as blueprint for embedding your own solution.
I want to use authentication web services that is exposed by my legacy client. But I cannot copy those user information in to liferay database. Can any one help me to write a custom authentication service OR a hook/plugin to reuse my own implementation for authentication?
I want to use authentication web services that is exposed by my legacy client.
You need to implement Liferay's com.liferay.portal.security.auth.Authenticator class to use your own custom authenticator that would call your web services. This can be plugged into Liferay by adding the folliowing to portal-ext.properties: auth.pipeline.pre=[your classpath].
But I cannot copy those user information in to liferay database.
I believe that if you don't want to store your user data in Liferay you can also use auth.pipeline.enable.liferay.check=false in the portal-ext.properties file. Mind you, I'm trying to do the same right now and I'm not having much luck.
Good luck!
Ray
The information Ray you gave is correct, as a hint here: http://www.liferay.com/community/wiki/-/wiki/Main/Developing+a+Custom+Authentication+System is a good step by step tutorial which I do use for a similar approach.
regards
Johannes