Whether liferay can use the roles/permissions that is configured outside liferay? The reason behind is that the legacy application have its own mechanism for user and role configuration.
Can any one please help me on this?
Regards
Vishal G
Liferay does integrate with LDAP, should you configure it so, so that your LDAP directory holds the users and their roles etc. You can likely add some other code to interface with another user database, but I'd start with the LDAP environment, as you don't say what kind of technology you're talking about.
If it's homegrown, I'd consider either exporting to LDAP or taking the LDAP interface as blueprint for embedding your own solution.
Related
I am looking for a simple way to create a "realm" within WAS 8.5. I am specifically looking for something similar to the APACHE realm system in which a user, upon first access to a site, is presented with a javaScript username / password dialog and, if authenticated, is allowed to use the site. In Tomcat, this is accomplished by modifying the tomcat-users.xml file, adding a username, passowrd and role. Any suggestions are appreciated.
In WebSphere it is already built in, you just need to configure repository from where you want to take users e.g internal file based, or LDAP.
Than you need to enable Application security via Global Security.
Check this page for more details Enabling security
I followed these steps to implement basic authentication. http://itcareergrowth.com/blog/2018/02/25/configuring-basic-authentication-in-web-sphere-application-server/#.WpQiSOdMGUk
I was trying to register an Application Login Module in Websphere but I don´t find any easy example in web.
There are a lot of IBM documents, but too much complex, and I can´t figure out how to register an Application Login Module.
I already have success with a System Login Module bounded to WEB_INBOUND, it works, but affects all my system. I want a Login Module to serve only my applications web, with JAAS authentication.
I´ve tried to bound a login module to existing WSLogin but it doesn´t seems to be working.
Any help ?
tks[]
You need to setup security domains to get the separation you are looking for wrt to the login configurations. The security framework uses the WEB_INBOUND login configuration to authenticate the user for all web applications irrespective of adminConsole or user applications. When you create a security domain and customize the WEB_INBOUND configuration at the server/cluster domain level, it will be used for all the user web applications deployed in those processes. You need to setup the multidomain in a cell topology and assign the domain to the server/cluster where you applications are deployed.
Once you setup the domains, the WEB_INBOUND configuration at the server/cluster domain will be used by the user applications hosted in that server/cluster while the WEB_INBOUND configuration at the admin/global domain will be used for the adminConsole application at the Deploymener Management process where it is deployed.
The application JAAS login configurations are meant to be used by the applications directly. One can create an application login configuration and programmatically use it in the application to perform direct login -
LoginContext lc = new LoginContext("myAppLoginCfg1", callBackHandler);
I asked around and this is the answer that comes from the owner of container security:
The WEB_INBOUND is a JAAS system login that is always configured by default. However, you can specify your own JAAS application login or customize the existing WEB_INBOUND system login. If you want only one application to use a different JAAS login from all your other applications, you can use a security domain that has those different security configurations. The only catch is that application server has to be in a separate server from the other apps. That way, you can map your security domain to that server.
Here's an info center article about security domains:
http://www-01.ibm.com/support/knowledgecenter/#!/SS7K4U_8.5.5/com.ibm.websphere.zseries.doc/ae/tsec_sec_domains_config.html?cp=SS7K4U_8.5.5%2F1-8-2-33-1
And one on application logins:
http://www-01.ibm.com/support/knowledgecenter/#!/SS7K4U_8.5.5/com.ibm.websphere.zseries.doc/ae/rsec_logmod.html?cp=SS7K4U_8.5.5
And system logins:
http://www-01.ibm.com/support/knowledgecenter/#!/SS7K4U_8.5.5/com.ibm.websphere.zseries.doc/ae/usec_sysjaas.html
And here is a much more practical answer that comes from the security dev lead:
So an additional question is - why would you want to do that? Do you want to do anything specific for just one app during login that you do not want for other app logins? (I would think so) You can get the app name in your custom login module and can use that to provide your own app based login requirement in your login module (or skip it) if needed.
Me: Ya, this is what I would do. You can also implement this based on what is in the request. I did one where it would request a SAML token from an STS and put it on the runas subject if I could tell that the request came from WebSeal (and not if it didn't).
If what you need to do for the 'app-specific' case requires skipping what is done in ltpaLoginModule and wsMapDefaultInboundLoginModule (that should run for the other apps), you can't really do that. However, you can modify their behavior.
Read through the task I've given a link to below. Yes, I understand it is a WS-Security task, but its about using APIs. You'll get what I'm talking about if you read closely, particularly the 3rd ("When a caller...") and 5th ("To use a..") paragraphs. The parts that you should be concerned about in the code is the WSCREDENTIAL* stuff.
http://www-01.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/twbs_config_wssec_caller_no_reg.html
I tried to do some research on this matter but couldn't really find anything. So, I was just wondering if anyone ever did something like this or if it would even make sense to do it that way:
Lets say, you have a secondary NAB for users who don't have a notes ID but need access to your web-enabled Notes / XPages applications.
Now, a non-notes web application wants to allow the same set of users access to their application.
Could this application use the Domino Web Login, so, user can log in into the non-notes web application?
How would a redirect work after a successful / failed log in attempt?
Would you use JSON / WebServices for that, or how would you implement it?
I know it is a rather general question, but I was just wondering.
Any response would be highly appreciated.
Thank you.
Daniel
If the other server can use LDAP for authentication, then you can configure Domino's LDAP task and set up Domino's Directory Assistance to expose your secondary address book to LDAP, and configure the other server to use the Domino LDAP as it's authentication source.
Note that this is not a single sign-on solution, so separate login will still be required for the non-Domino application. It does get you a single authentication source, though.
I am trying to find pros/cons of using ldap based authentication as opposed to application's internal database based authentication.
LDAP based
One situation I see is where a second application may directly authenticate against the ldap database created by the first application, using an ldap API.
Internal database based
In this case, the second application can perhaps do the authentication, if the first application has provided an interface such as a web service
The disadvantage I see that with ldap is that one more software component to manage. The disadvantage I see with the second case is that one has to write a web service to allow the authentication.
I would like to know what would be a good option, if one application may use another application's user database for authentication.
The main reason for using LDAP (or rather an implementation of LDAP) is to reuse existing directory infrastructure across an organisation. That is, many companies maintain a directory infrastructure describing their organisational units (OUs) and staff organisation within them - i.e. departments, staff, roles, etc. LDAP provides the interface to this directory service.
By managing your security through LDAP, you're in fact able to use this existing infrastructure and security/ roles information, rather than rolling your own. More significantly, this then maintains a single "id" per user, rather than an id in each system, thus enabling single-sign-on across systems. Also, LDAP supports SSL and TLS.
Rather than thinking of LDAP as having "one more software component to manage" as you said, you should think that rolling your own authentication in fact means you have one more user admin system to manage. That is, you need to build the admin tools to manage it (or do your sysadmins expect to use sqlplus or whatever?) Also, you seem to expect that other apps would use your shiny new authentication database when, they may also think "I'll roll my own".
All that said, it's not unreasonable to write your own security module but SSO is an often-asked-for requirement in large enterprises consisting of multiple systems.
I want to use authentication web services that is exposed by my legacy client. But I cannot copy those user information in to liferay database. Can any one help me to write a custom authentication service OR a hook/plugin to reuse my own implementation for authentication?
I want to use authentication web services that is exposed by my legacy client.
You need to implement Liferay's com.liferay.portal.security.auth.Authenticator class to use your own custom authenticator that would call your web services. This can be plugged into Liferay by adding the folliowing to portal-ext.properties: auth.pipeline.pre=[your classpath].
But I cannot copy those user information in to liferay database.
I believe that if you don't want to store your user data in Liferay you can also use auth.pipeline.enable.liferay.check=false in the portal-ext.properties file. Mind you, I'm trying to do the same right now and I'm not having much luck.
Good luck!
Ray
The information Ray you gave is correct, as a hint here: http://www.liferay.com/community/wiki/-/wiki/Main/Developing+a+Custom+Authentication+System is a good step by step tutorial which I do use for a similar approach.
regards
Johannes