Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
Mathew Anderson
JSON authentication
May 23, 2013 1:48 PM
Answer

Mathew Anderson

Rank: Junior Member

Posts: 29

Join Date: April 22, 2013

Recent Posts

Hello -

Running liferay-portal-6.1.1-ce-ga2-20120731132656558.war
on Weblogic 12c
OS Redhat 6
Authentication : done at apache (have auto.login.hooks=ApacheAuth set in portal-ext.properties)

We are trying to use some of the JSON webservices, but are getting prompted to authenticate againest "PortalRealm".

When I access https://myhost/api/secure/jsonws/user/get-user-by-screen-name/company-id/10154/screen-name/ME
I am prompted to log into "PortalRealm". If I enter the weblogic admin username/password it logs me in and i can see the information.
Clearing out everything and accessing the URL again and getting prompted, I press Cancel. I goto https://myhost/ and log in. Then I am able to goto the jsonws url and it works.

Logging into the portal is not an option first, as we would love to do this via a webservice call or something. So using curl, I did some testing:

first without authentication:
$ curl -v https://myhost/api/secure/jsonws/user/get-user-by-screen-name/company-id/10154/screen-name/ME
* About to connect() to myhost port 443 (#0)
* Trying ... connected
* Connected to XXXX port 443 (#0)
* SSL Stuff here removed
> GET /api/secure/jsonws/user/get-user-by-screen-name/company-id/10154/screen-name/ME HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-unknown-linux-gnu) libcurl/7.19.7 NSS/3.13.1.0 zlib/1.2.3 libidn/1.18 libssh2/1.2.2
> Host: XXX
> Accept: */*
>
< HTTP/1.1 401 Authorization Required
< Date: Thu, 23 May 2013 20:28:36 GMT
< Server: Apache
< WWW-Authenticate: Negotiate
< WWW-Authenticate: Basic realm="MyAuth"
< Content-Length: 473
< Content-Type: text/html; charset=iso-8859-1
<
* Ignoring the response-body
* Connection #0 to host XXXX left intact
* Issue another request to this URL: 'https://myhost/api/secure/jsonws/user/get-user-by-screen-name/company-id/10154/screen-name/ME'
* Re-using existing connection! (#0) with host XXXX
* Connected to XXXX port 443 (#0)
> GET /api/secure/jsonws/user/get-user-by-screen-name/company-id/10154/screen-name/ME HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-unknown-linux-gnu) libcurl/7.19.7 NSS/3.13.1.0 zlib/1.2.3 libidn/1.18 libssh2/1.2.2
> Host: XXXX
> Accept: */*
>
< HTTP/1.1 401 Authorization Required
< Date: Thu, 23 May 2013 20:28:36 GMT
< Server: Apache
< WWW-Authenticate: Negotiate
< WWW-Authenticate: Basic realm="MyAuth"
< Content-Length: 473
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Authorization Required</title>
</head><body>
<h1>Authorization Required</h1>
<p>This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
<hr>
</body></html>
* Connection #0 to host XXX left intact
* Closing connection #0

As you see, it prompted me to log into realm MyAuth - this is the realm name I have setup in apache to authenticate.
Putting a username/password in the curl call, I get:

OMITTING the top of the output for shortness
* Server auth using Basic with user 'ME'
> GET /api/secure/jsonws/user/get-user-by-screen-name/company-id/10154/screen-name/ME HTTP/1.1
> Authorization: Basic bWFuZGVyOnJodUFmYS00
> User-Agent: curl/7.19.7 (x86_64-unknown-linux-gnu) libcurl/7.19.7 NSS/3.13.1.0 zlib/1.2.3 libidn/1.18 libssh2/1.2.2
> Host: XXXX
> Accept: */*
>
< HTTP/1.1 401 Authorization Required
< Date: Thu, 23 May 2013 20:28:56 GMT
< Server: Apache
< Set-Cookie: BasicAttempted=true; path=/;
< Set-Cookie: SessionID=aKhf6gnZaUY69cAZebcqWzA+9Lg=; path=/; secure; HttpOnly;
< Content-Length: 0
* Authentication problem. Ignoring this.
< WWW-Authenticate: Basic realm="PortalRealm"
< Set-Cookie: JSESSIONID=Pl7JRp8LN09BVQxJ6GvTvT92qZjLpQfFr65B1KgbJ3NpNMlGDsd6!-850292204; path=/; HttpOnly
< X-Powered-By: Servlet/3.0 JSP/2.2
< Content-Type: text/html; charset=UTF-8
<
* Connection #0 to host XXXX left intact
* Closing connection #0

It looks like it takes the basic authentication to the apache server, but then prompts for authentication from PortalRealm.


I found references to the realm in the web.xml, geronimo-web.xml and jboss-web.xml. Since I am using weblogic, the first one should be the only one that is used.
I removed the security-constraints section (and everything below it). but I am still prompted to authenticate to PortalRealm.

Ideas on how to use my custom Apache authentication for JSON calls?
Mathew Anderson
RE: JSON authentication
May 24, 2013 6:00 AM
Answer

Mathew Anderson

Rank: Junior Member

Posts: 29

Join Date: April 22, 2013

Recent Posts

Sorry, I forgot to add this. The weblogic log files display the following when the url is accessed (and when the PortalRealm dialog is displayed)


ERROR [ ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'][SecureFilter:112] java.lang.ArrayIndexOutOfBoundsException: 1
java.lang.ArrayIndexOutOfBoundsException: 1
at com.liferay.portal.util.PortalImpl.getBasicAuthUserId(PortalImpl.java:1036)
at com.liferay.portal.util.PortalImpl.getBasicAuthUserId(PortalImpl.java:1018)
at com.liferay.portal.util.PortalUtil.getBasicAuthUserId(PortalUtil.java:254)
at com.liferay.portal.servlet.filters.secure.SecureFilter.basicAuth(SecureFilter.java:109)
at com.liferay.portal.servlet.filters.secure.SecureFilter.processFilter(SecureFilter.java:288)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:57)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:206)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:108)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:165)
at com.liferay.portal.servlet.filters.sso.ntlm.NtlmPostFilter.processFilter(NtlmPostFilter.java:84)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:57)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:206)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:108)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:165)
at com.liferay.portal.sharepoint.SharepointFilter.processFilter(SharepointFilter.java:83)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:57)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:206)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:108)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:165)
at com.liferay.portal.servlet.filters.virtualhost.VirtualHostFilter.processFilter(VirtualHostFilter.java:219)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:57)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:206)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:108)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:187)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:95)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:738)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:206)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:108)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:167)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:95)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:167)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:95)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:187)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:95)
at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilter.doFilter(InvokerFilter.java:74)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:75)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3288)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3254)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.provider.WlsSubjectHandle.run(WlsSubjectHandle.java:57)
at weblogic.servlet.internal.WebAppServletContext.doSecuredExecute(WebAppServletContext.java:2163)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2091)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2074)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1512)
at weblogic.servlet.provider.ContainerSupportProviderImpl$WlsRequestExecutor.run(ContainerSupportProviderImpl.java:255)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Mathew Anderson
RE: JSON authentication
June 21, 2013 12:30 PM
Answer

Mathew Anderson

Rank: Junior Member

Posts: 29

Join Date: April 22, 2013

Recent Posts

Anyone have any ideas on this?

I swapped out to tomcat to test and I get the same thing.

My guess is that by setting auto.login.hooks=ApacheAuth, this is breaking the authentication when trying to goto the json services.

Also any custom portlets that use json get the "PortalRealm" prompt. Going to http://mysite/myPortlet/api/jsonws

Anyone else using custom authentication hooks, or letting apache do your authentication?

I was thinking of using another central authentication provider that my company is looking at, but it would require an authentication hook as well and I think I'll run into the same problem.

Advise?
Salman Jan
RE: JSON authentication
July 31, 2013 9:54 AM
Answer

Salman Jan

Rank: New Member

Posts: 4

Join Date: August 17, 2011

Recent Posts

For security issue, you need to do the following

Fix Basic Authentication issue on WebLogic #

HTTP Basic Authentication on WebLogic starting from version 9.2 (previous versions were not tested) does not work correctly. The problem is that if there is some request to your application with "Authorization" header the request will be intercepted by WebLogic itself and will not be passed to your application. WebLogic will try to make authentication itself.

Such problem can occur in your application if you are using HTTP Basic Authentication with portals SecureFilter

Add the following line in Oracle/Middleware/user_projects/domains/<domain_name>/config/config.xml, inside of <security-configuration> section.

<enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials>


This fixes the BasicAuth issue so that, Liferay do not delegate BasicAuth to Weblogic.
The same is also suggested under http://www.liferay.com/community/wiki/-/wiki/Main/Weblogic+tips


However, I still am having issue of not able to view Custom JSON webservice catalog. Did anyone get the Catalog for Custom JSON ws issue resolved for Weblogic?
Mathew Anderson
RE: JSON authentication
August 2, 2013 1:37 PM
Answer

Mathew Anderson

Rank: Junior Member

Posts: 29

Join Date: April 22, 2013

Recent Posts

Salman Jan - Thanks for responding.

I do have <enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials> set in my config.xml file already.