Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
Antoni Alatalo
tunnel-web, authentication: howto?
November 26, 2007 12:08 AM
Answer

Antoni Alatalo

Rank: New Member

Posts: 17

Join Date: November 25, 2007

Recent Posts

Hi,
I can't found configuration for calling remote operations throw Web Services or HTTP. I can call procedures but I always got "This request requires HTTP authentication" response.

I currently use liferay 4.3.3 in JBoss 4.2. The portal application authentication is configured to use CAS and LDAP.
But there is just basic authentication in the tunnel-web application. So i think that my problem is somwhere in configuration - not in the code.

I did try the next client steps:

This is WS client
 1'
 2private static final String ADDRESS1 = "http://localhost:8008/tunnel-web/axis/Portal_UserService";
 3   
 4    public static void main(String[] args){
 5        UserServiceSoapServiceLocator locator = new UserServiceSoapServiceLocator();
 6        Portal_UserServiceSoapBindingStub stub = null;
 7        try {
 8            locator.setEndpointAddress("Portal_UserService",
 9                    ADDRESS1);
10            stub = (Portal_UserServiceSoapBindingStub)locator.getPortal_UserService();//_getURL("10201", "Portal_UserService"));
11            stub.setUsername("user");
12            stub.setPassword("password");
13            stub.getUserById(10201);
14        } catch (ServiceException e) {
15            // TODO Auto-generated catch block
16            e.printStackTrace();
17        } catch (RemoteException e) {
18            // TODO Auto-generated catch block
19            e.printStackTrace();
20        } catch (Exception e) {
21            // TODO Auto-generated catch block
22            e.printStackTrace();
23        }
24       
25    }
26   
27    private static URL _getURL(String remoteUser, String serviceName) throws Exception {
28        String password = "password";
29        String url = "http://" + "user1" + ":" + password + "@localhost:8008/tunnel-web/secure/axis/" + serviceName;
30
31        return new URL(url);
32    }


This is HTTP client:
 1
 2public class HttpInvocer extends SimpleHttpInvokerRequestExecutor {
 3
 4    public HttpInvocer() {
 5        super();
 6    }
 7
 8    public long getUserId() {
 9        return _userId;
10    }
11
12    public void setUserId(long userId) {
13        _userId = userId;
14    }
15
16    public String getPassword() {
17        return _password;
18    }
19
20    public void setPassword(String password) {
21        _password = password;//PwdEncryptor.encrypt(password);
22    }
23
24    /**
25     * Called every time a HTTP invocation is made. This implementation allows
26     * the parent to setup the connection, and then adds an
27     * <code>Authorization</code> HTTP header property for BASIC
28     * authentication.
29     */
30    protected void prepareConnection(HttpURLConnection con, int contentLength)
31            throws IOException {
32
33        super.prepareConnection(con, contentLength);
34
35        if (getUserId() > 0) {
36
37            String base64 = getUserId() + ":" + getPassword();
38
39            con.setRequestProperty("Authorization", "Basic "
40                    + new String(Base64.encodeBase64(base64.getBytes())));
41        }
42    }
43
44    private long _userId;
45
46    private String _password;
47
48}
49
50PLUS Test class method
51public void testAddUser() {
52        try {
53            com.liferay.portal.model.User user = adapter.getUserService().getUserById(10201);
54            System.out.print("User:" + user.getLogin());
55        } catch (SystemException e) {
56            e.printStackTrace();
57            fail(e.getMessage());
58        } catch (PortalException e) {
59            e.printStackTrace();
60            fail(e.getMessage());
61        } catch (RemoteException e) {
62            e.printStackTrace();
63            fail(e.getMessage());
64        }
65    }


Plus i did try two other ways to invoce operations. Nothing helps.

Can anybody tell me what should i do to get this work?

Regards
Antoni
Antoni Alatalo
RE: tunnel-web, authentication: howto?
November 27, 2007 11:12 PM
Answer

Antoni Alatalo

Rank: New Member

Posts: 17

Join Date: November 25, 2007

Recent Posts

Hi,
I figured out that problem is really in the configurations.

There is as default <realm-name>PortalRealm</realm-name> definition in the web.xml and also
<security-domain>java:/jaas/PortalRealm</security-domain> in the jboss-web.xml files in the tunnel-web and ROOT (liferay) applications.

Because I use CAS for authentication and LDAP behind there was no problems with JBoss and Liferay.
But tunnel-web is not configured to use CAs and there is no need to do this, then problems starts there.

So, i need to use something like com.liferay.portal.security.jaas.ext.jboss.PortalLoginModule to configure login-config.xml application-policy. Without portal-impl.jar in the classpath module does not workIt gets an error "unable to find LoginModule class". If I put portal-impl.jar under default/lib, then Liferay hangs up : Could not create deployment: 06:52:49,875 ERROR Could not create deployment: java.lang.NoClassDefFoundError: org/apache/struts/action/ActionServlet

So what i did is very dirty solution:
I made new application-policy named MyRealm based on the JBOss DatabaseServerLoginModule (this because of userid that should be an long not String as in JBOss module). I did configure to the web.xml and jboss-web.xml to use MyRealm. And all my solutions did start working.

I found that i'm not along with the same problem. Is there some good solution to resolve this issue?

Thank you
Antoni
xavier yuste
RE: tunnel-web, authentication: howto?
November 28, 2007 9:36 AM
Answer

xavier yuste

Rank: New Member

Posts: 13

Join Date: October 26, 2006

Recent Posts

Could you please post here you Realm definition?

We got the same problem to access
http://userid:pass@host:port/tunnel-web/secure/axis/Portal_UserServic?wsdl

we could use
http://userid:pass@host:port/tunnel-web/axis/Portal_UserServic?wsdl without security and Liferay respond with the XML but for the secure version tested from one browser the Web Service asks for username and password. When we provide userID and encrypted password the authentication fails (with no error in log or any place) and after three times we receive the error HTTP Error 401 - Unauthorized

We have tried several combinations username, screenname, password clear, password encrypted but none of them work.
Antoni Alatalo
RE: tunnel-web, authentication: howto?
November 28, 2007 10:07 PM
Answer

Antoni Alatalo

Rank: New Member

Posts: 17

Join Date: November 25, 2007

Recent Posts

Hi,
This is what I did.

First of all I did rename the Realm name to MyRealm.
tunnel-web.war\WEB-INF\jboss-web.xml
1<security-domain>java:/jaas/MyRealm</security-domain>

tunnel-web.war\WEB-INF\web.xml
1
2    <login-config>
3        <auth-method>BASIC</auth-method>
4        <realm-name>MyRealm</realm-name>
5    </login-config>


Next I made new class that extends org.jboss.security.auth.spi.DatabaseServerLoginModule;

In this new class I did rewrite getUsersPassword() and getRoleSets() methods.
In this methods the only thing need to be changed is
1ps.setString(1, userName)
This method is rewriten to
1ps.setLong(1, Long.parseLong(username));

This is bacause the id of user is long type.

The class is packed to the jar and placed to the server/default/lib folder

The next thing is realm configuration to the JBosses login-config.xml
 1
 2    <application-policy name="MyRealm">
 3        <authentication>
 4            <login-module code="com.xxx.jboss.LiferayDatabaseServerLoginModule"
 5                         flag="required">
 6            <module-option name="dsJndiName">java:/jdbc/LiferayPool</module-option>
 7        <module-option name="principalsQuery">   
 8                    select password_ from user_ where userid=?
 9        </module-option>
10        <module-option name="rolesQuery">
11                select name, 'Roles' from role_ inner join users_roles on role_.roleid=users_roles.roleid where users_roles.userid = ?
12            </module-option>
13            </login-module>
14        </authentication>
15    </application-policy>

The last thing is client. This is very simple example to get it work:
 1
 2    public static void main(String[] args){
 3        UserServiceSoapServiceLocator locator = new UserServiceSoapServiceLocator();
 4        Portal_UserServiceSoapBindingStub stub = null;
 5        try {
 6            stub = (Portal_UserServiceSoapBindingStub)locator.getPortal_UserService(_getURL("3", "Portal_UserService"));
 7            stub.getUserById(10201);
 8        } catch (ServiceException e) {
 9            // TODO Auto-generated catch block
10            e.printStackTrace();
11        } catch (RemoteException e) {
12            // TODO Auto-generated catch block
13            e.printStackTrace();
14        } catch (Exception e) {
15            // TODO Auto-generated catch block
16            e.printStackTrace();
17        }
18       
19    }
20   
21    private static URL _getURL(String remoteUser, String serviceName) throws Exception {
22        String password = "password";
23        String url = "http://" + remoteUser + ":" + password + "@localhost:8080/tunnel-web/secure/axis/" + serviceName;
24
25        return new URL(url);
26    }

Tgat's it. Ugly, but works. Ugly because realm is rewritten.

The proper way is to use already defined ProtalRealm. Then there is next definition in login-config.xml:
 1
 2    <!--Does not work because of class loader problems!!!-->
 3    <application-policy name="PortalRealm">
 4        <authentication>
 5            <login-module code="com.liferay.portal.security.jaas.ext.jboss.PortalLoginModule"
 6                         flag="required">
 7        </login-module>
 8        </authentication>
 9    </application-policy>

But as i mentioned in previouse mails this configuration doesn't work because of class loading problems. If somebody knows how class loader should be configured or jar files can be replaced, then please let me know.

Regards
Antoni
Maxim Karavaev
RE: tunnel-web, authentication: howto?
December 1, 2007 6:38 AM
Answer

Maxim Karavaev

Rank: New Member

Posts: 2

Join Date: December 1, 2007

Recent Posts

Hi,
using of com.liferay.portal.security.jaas.ext.jboss.PortalLoginModule is not a good idea in any case, because this module does not load a portal user's roles. Any user will have only a role 'users', mentioned in the web.xml of liferay portal application!

I want to offer another solutuion:

At first - we must turn off a liferay JAAS configuration (portal-ext.properties file):
1
2  portal.configuration=false
3  portal.jaas.enable=true
4  portal.impersonation.enable=false


Configure a JBoss login modules, that's will be used by portal itself and any other interested applications (Here, I think, that extend of default jboss DatabaseServerLoginModule is not so necessary, we can use DB functions to cast parameter to long, if it's really needed. For example, in Postgres this is not needed, there is an implicit cast from string to long):
 1
 2  <application-policy name = "PortalRealm">
 3    <authentication>
 4      <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
 5        <module-option name="dsJndiName">java:/LiferayPool</module-option>
 6        <module-option name="principalsQuery">select password_ from user_ where userid=?</module-option>
 7        <module-option name="rolesQuery">select name, 'Roles' from role_ inner join users_roles on role_.roleid=users_roles.roleid where users_roles.userid = ?</module-option>
 8        <module-option name="unauthenticatedIdentity">10096</module-option>
 9      </login-module>
10      <login-module code="org.jboss.security.auth.spi.RoleMappingLoginModule" flag="optional">
11        <module-option name="rolesProperties">props/roleMapping.properties</module-option>
12        <module-option name="replaceRole">false</module-option>
13      </login-module>
14    </authentication>
15  </application-policy>

10096 - is an id of "default portal user" in my configuration, you can find it in your DB table user_.

RoleMappingLoginModule here needs to add such "dummy" role "users" to all users (put file with name roleMapping.properties into <JBOSS_SERVER_DIR>/conf/props, that contains:
1
2  Guest=users
3  User=users
4  Administrator=users
5  Power\u0020User=user

We can also use this mapping to map portal roles to external app roles.
Antoni Alatalo
RE: tunnel-web, authentication: howto?
December 2, 2007 10:49 PM
Answer

Antoni Alatalo

Rank: New Member

Posts: 17

Join Date: November 25, 2007

Recent Posts

Hi,
using same authentication politic in the all application is useful. And you example is pretty good. Please see my previouse post about DatabaseServerLoginModule wich must be overrided because users id is long type. Also roles politic must be overrided for the same reason. I'm usin oracle and SQL Server in my applications and casting string to long externally is not good idea.

I don't belive we need something like you use in RoleMappingLoginModule. We got roles from role query and we are using tham as they are.

Also default user mapping is not so good idea if you want to know exactly who can use some actions.

For example only registered users can use some actions, by using default user it doesn't work.
In my case i want to use tunnel-web functions like addUser etc, by calling remote operations. In this case only administrators can do it, so i just rewrite web.xml and put there <role-name>Administrator</role-name> instead of users.

Also I did found that there is an LEP about PortalUtil class getUser method. There is bug and it will be fixed in the next 4.3.5 version. After that not only Web Services but also HTTP services can be used.
Alexander Chow
RE: tunnel-web, authentication: howto?
December 11, 2007 12:45 AM
Answer

Alexander Chow

Community Moderator

Rank: Liferay Master

Posts: 518

Join Date: July 19, 2005

Recent Posts

I was investigating this problem and it looks like what was happening was the com.liferay.portal.security.jaas.PortalLoginModule, specified by com.liferay.portal.security.jaas.PortalConfiguration, could not be found by JBoss. This can be fixed by loading the com.liferay.portal.kernel.security.jaas.PortalLoginModule in PortalConfiguration. Since this class is available in the kernel and properly loads the other class, this fixes the problem. See the details in http://support.liferay.com/browse/LEP-4495
C.S. L
RE: tunnel-web, authentication: howto?
January 14, 2008 7:10 PM
Answer

C.S. L

Rank: Junior Member

Posts: 83

Join Date: January 5, 2007

Recent Posts

Hi Alexander,

I'm currently using 4.3.5 on tomcat 6.0/mysql and there seems to be no issue in loading com.liferay.portal.kernel.security.jaas.PortalLoginModule as specified in the jaas.policy file.
However, when we try to access the secure/axis/ path we get error code 403.

We have followed as closely to the 4.3 document as we can but still get the error 403.
Does tunnel-web work out of the box?
Do we really need to provide customised PortalLoginModule to test out the web-services?

Thanks!

/CS
Alex Wallace
RE: tunnel-web, authentication: howto?
January 15, 2008 7:24 AM
Answer

Alex Wallace

Rank: Liferay Master

Posts: 640

Join Date: November 4, 2007

Recent Posts

I've only used tunnel-web in 4.3.1, but it does indeed work out of the box in that version...

Are you using the numerc userId to authenticate?

If you try goting to the secured url on a browser, are you asked for credentials? If so, then try the numeric user Id (userId from Users_ table) and the unencrypted password...

hope this helps...
C.S. L
RE: tunnel-web, authentication: howto?
January 16, 2008 5:54 PM
Answer

C.S. L

Rank: Junior Member

Posts: 83

Join Date: January 5, 2007

Recent Posts

Hi,

For 4.3.5, we are using numeric user ID and encrypted password.

After tracing the code, we realised that the authentication is OK but the authorisation is not.
For some reason, the program could not access the "users" role defined in the web.xml.
We have to disable the security constraint check by changing that to allow any role.

That works fine for us now but seems to be a bug for 4.3.5 + tomcat 6.0.

/CS
Lari Tuominen
RE: tunnel-web, authentication: howto?
May 26, 2008 4:59 AM
Answer

Lari Tuominen

Rank: Expert

Posts: 283

Join Date: November 7, 2007

Recent Posts

Anyone managed to do tunnel-web authentication on liferay 5.0.1 bundled with JBoss 4.2 + tomcat 55?
I'm trying but getting constantly HTTP 401.

Thanks in advance!
Fuad Efendi
RE: tunnel-web, authentication: howto?
June 23, 2008 7:23 AM
Answer

Fuad Efendi

Rank: Regular Member

Posts: 175

Join Date: April 5, 2007

Recent Posts

Looks like several bugs in config files; at least, security constraints missed in web.xml of tunnell-web.
I had 401 (Not-Authenticated), and now I constantly have 403 (Not Authorized).
Try to compare with old possibly working versions of Liferay (4.3.x)...
Lari Tuominen
RE: tunnel-web, authentication: howto?
June 23, 2008 8:09 AM
Answer

Lari Tuominen

Rank: Expert

Posts: 283

Join Date: November 7, 2007

Recent Posts

Yes that's what I noticed as well. I've read several post related to 403, not sure if they are related to the same thing? Can you share you're solution if you're able to overcome the problems related to 403?

Thanks in advance - Lari
Giuseppe Fiameni
RE: tunnel-web, authentication: howto?
November 14, 2008 2:56 AM
Answer

Giuseppe Fiameni

Rank: New Member

Posts: 8

Join Date: September 24, 2008

Recent Posts

Did anyone manage to authenticate users through X.509 certificates (client-cert) ?
I need to perform some actions in that way and I was just looking about some hints to start from.

Sincerely,
Giuseppe
Sebastián Gurin
RE: tunnel-web, authentication: howto?
February 4, 2009 5:13 AM
Answer

Sebastián Gurin

Rank: Junior Member

Posts: 75

Join Date: June 13, 2007

Recent Posts

Well, I don't know if it will help, but, I'm using liferay 4.4.1 with tomcat 5.5, and when invokin remote WS operations (both json and soap) I need to copy util-java.jar (included liferay 4.4.1 dependencies) in in tomcat's common/lib/ext. If I do not include it WS invocations always return http error 403. So perhaps you need to do the analogous thing in jboss. Good look
Ashraf ahmadi
RE: tunnel-web, authentication: howto?
July 21, 2012 3:09 AM
Answer

Ashraf ahmadi

Rank: New Member

Posts: 4

Join Date: April 21, 2010

Recent Posts

Hi , every body
I inserted a flash or movie tag in journal content but when I was loading this page , a pop up window message appeared:
Network authentication
username and password were acquired for http://localhost:8080 portalrealm . it showed in IE and Firefox. please help and tell me what should I do step by step,
thanks
Hitoshi Ozawa
RE: tunnel-web, authentication: howto?
July 21, 2012 8:40 AM
Answer

Hitoshi Ozawa

Rank: Liferay Legend

Posts: 7949

Join Date: March 23, 2010

Recent Posts

First, STOP SPAMMING THE FORUM WITH THE SAME QUESTION!!!! emoticonemoticonemoticon

please help and tell me what should I do step by step,


This is a very old thread and your question is totally unrelated to the topic of the thread.

Please do the following steps:
1. Read, understand, and obey forum guideline
http://www.liferay.com/community/forums/-/message_boards/message/572822

2. Check if you question has already been answered

3. If you are definitely sure that it has not yet been answered, create a new thread in the correct forum

4. Wait patiently until somebody replies to your question. If you question is unanswered and you require an answer, subscribe to liferay support or some other liferay support service offered by a vendor.