Forums

Home » Liferay Portal » English » 3. Development

Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
Janus Godard
can't make sense of liferay's auth pipeline
October 4, 2013 1:46 PM
Answer

Janus Godard

Rank: New Member

Posts: 17

Join Date: August 1, 2013

Recent Posts

I'm trying to get some captcha support on the login page. I found JSP that display the captcha, no problem.
http://mustafayuceel.com/my/how-to-activate-catpcha-recaptcha-in-liferay-6-login-page/

However a hook can't seem to extends the LoginAction, I get a ClassNotFoundException , probably because it's in portal-impl.jar, so not really exposed to hooks.

I tried to make a custom action extending Action, bbut public void run(HttpServletRequest iRequest, HttpServletResponse iResponse) only gives me access to HttpServletRequest and not PortletRequest. Unfortunately the /login/captcha used PortletRequest and the PortletSession to store the info on the captcha... so when I call CaptchaUtil.check with an HttpServletRequest , it always fail.

I tried to make a custom Authenticator, which at first seemed the right way to do it, but then I don't get access to the PortletRequest either, so I can't use CaptchaUtil.check either.

Is Ext the only way for me to make this work?

Is there no way for a hook action or authenticator to have access to the PortletRequest?
Zsigmond Rab
RE: can't make sense of liferay's auth pipeline
October 4, 2013 2:30 PM
Answer

Zsigmond Rab

LIFERAY STAFF

Rank: Liferay Master

Posts: 650

Join Date: January 4, 2010

Recent Posts

Hi Janus,

this thread may help you.

Regards,
Zsigmond
Janus Godard
RE: can't make sense of liferay's auth pipeline
October 7, 2013 6:37 AM
Answer

Janus Godard

Rank: New Member

Posts: 17

Join Date: August 1, 2013

Recent Posts

Hi Zsigmond,

I did search liferay forums and googled liferay and captcha before posting. I read that thread and I keep running into problems, as detailed in my initial post. But let me elaborate.

In trying to implement this as a Hook, I run into a ClassNotFoundException problem when trying to load the LoginAction that my custom class is extending (as per the same code). Like this other dev did.

Looking at how the code worked, it didn't seem like a very forward compatible way of doing thing and while reading on the issue, I discovered the liferay auth pipeline. So, I decided to keep the JSP from the code above (it works to generate the captcha) and add a custom com.liferay.portal.security.auth.Authenticator to auth.pipeline.pre

Unfortunately, Authenticator doesn't seem to have access to the PortletRequest, so I can't call CaptchaUtil.check(<PortletRequest>) (This is the utility method that validate the captcha generated by /login/captcha strut action portlet, com.liferay.portal.captcha.CaptchaPortletAction). And since it could either be a simple captcha or a reCaptcha, trying to do custom verification is non-trivial. Also the CaptchaPortletAction stores the CAPTCHA_TEXT in the PortletSession, not the HttpSession, so in the HttpSession the attribute is prefixed with a portlet identifier which I'm unable to obtain programatically from an Authenticator.

During the implementation of the Authenticator I noticed some strange behavior, I could access com.liferay.portal.util.WebKeys (which is in portal-impl.jar) but not com.liferay.portal.util.PropsValues (I get a ClassNotFoundException from the class loader at runtime, like above when extending LoginAction ). While reading on the issue of accessing PropsValues, I read a post from Ray Augé saying we must not access portal-impl.jar content from custom hook classes. Unfortunately the CAPTCHA_TEXT property is on com.liferay.portal.util.WebKeys (which is in portal-impl.jar) but not on com.liferay.portal.kernel.util.WebKeys

Another thing I did try is to add a custom com.liferay.portal.kernel.events.Action to login.events.pre However while this class has access to the HttpServletRequest, it doesn't seem to have access to the PortletRequest (and i didn't find a way to get the PortletRequest from the HttpServletRequest). So CaptchaUtil.check(<HttpServletRequest>) fail because the CAPTCHA_TEXT was stored in the PortletSession and not the HttpSession (yes, there is still the value, but prefixed with that portlet id, which make the lookup in the HttpSession fail). Is there a way to retrieve the PortletRequest from an Action given the HttpServletRequest?

So, where do I go from there? Short of re implementing my own CaptchaPortletAction and CaptchaUtil, I don't see a solution at the moment. Rewriting and not extending LoginAction might also be a way, but will require maintenance at each upgrade.
Tomas Polesovsky
RE: can't make sense of liferay's auth pipeline
October 8, 2013 2:23 PM
Answer

Tomas Polesovsky

LIFERAY STAFF

Rank: Liferay Master

Posts: 643

Join Date: February 13, 2009

Recent Posts

Hi Janus,

your problems seem to be very difficult, don't know what to answer.

So I rather tried to implement it so that you can inspire. Please see https://github.com/topolik/lfr-captcha-login

Thanks.
Janus Godard
RE: can't make sense of liferay's auth pipeline
October 9, 2013 5:47 AM
Answer

Janus Godard

Rank: New Member

Posts: 17

Join Date: August 1, 2013

Recent Posts

Thanks a lot, it seems that approach could work. Though that completely replace the default Liferay login portlet/action, right?
Tomas Polesovsky
RE: can't make sense of liferay's auth pipeline
October 10, 2013 12:22 AM
Answer

Tomas Polesovsky

LIFERAY STAFF

Rank: Liferay Master

Posts: 643

Join Date: February 13, 2009

Recent Posts

It doesn't replace the login actions. It only wraps them.

I'm sorry I don't know what is your requirement for the Captcha.

I assume you want to use Captcha in the login form to prevent bots from authentication and/or brute-force password by guessing. If this is true, there are still other places that should be taken care of:
1, protect public API (e.g. JSON,JSONWS services, may also apply on WebDAV, ...)
2, disable remember-me cookies
3, all other custom code / app server security controls

In short, all places which allow an attacker to sign in without proving "human attributes" emoticon
Janus Godard
RE: can't make sense of liferay's auth pipeline
October 10, 2013 6:08 AM
Answer

Janus Godard

Rank: New Member

Posts: 17

Join Date: August 1, 2013

Recent Posts

Thanks! I will pass the info to our requirements people.