Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
Ray Augé
Authentication for private RSS feeds
November 11, 2009 10:12 AM
Answer

Ray Augé

LIFERAY STAFF

Rank: Liferay Legend

Posts: 1195

Join Date: February 7, 2005

Recent Posts

Hey All,

I'm working on a simple pattern for forcing basic authentication for private RSS feeds (with optional required HTTPS).

The only issue codewise is that in order to have a servlet filter recognize that the feed is private we need to make a new mapping for the RSS actions, something like
1/blogs/secure/rss
.

This would allow the forcing of proper authentication by a servlet filter.

The whole point is to allow private RSS feeds to be consumed by external clients, and in 99% of cases, they support basic authentication and SSL. The problem is that external clients can't use FORM authentication of the portal to reach the private pages, making existing private RSS feeds all but useless.

Does anyone see other issues I haven't thought of?
Ray Augé
RE: Authentication for private RSS feeds
November 11, 2009 10:53 AM
Answer

Ray Augé

LIFERAY STAFF

Rank: Liferay Legend

Posts: 1195

Join Date: February 7, 2005

Recent Posts

Here is the servlet filter config I'm testing:

 1    <filter>
 2        <filter-name>Secure RSS Filter</filter-name>
 3        <filter-class>com.liferay.portal.servlet.filters.secure.SecureFilter</filter-class>
 4        <init-param>
 5            <param-name>basic_auth</param-name>
 6            <param-value>true</param-value>
 7        </init-param>
 8        <init-param>
 9            <param-name>portal_property_prefix</param-name>
10            <param-value>secure.rss.</param-value>
11        </init-param>
12        <init-param>
13            <param-name>url-regex-pattern</param-name>
14            <param-value>.+/rss</param-value>
15        </init-param>
16    </filter>
17    <filter-mapping>
18        <filter-name>Secure RSS Filter</filter-name>
19        <url-pattern>/c/blogs/rss</url-pattern>
20    </filter-mapping>
21    <filter-mapping>
22        <filter-name>Secure RSS Filter</filter-name>
23        <url-pattern>/c/journal/rss</url-pattern>
24    </filter-mapping>
25    <filter-mapping>
26        <filter-name>Secure RSS Filter</filter-name>
27        <url-pattern>/c/message_boards/rss</url-pattern>
28    </filter-mapping>
29    <filter-mapping>
30        <filter-name>Secure RSS Filter</filter-name>
31        <url-pattern>/c/tags/rss</url-pattern>
32    </filter-mapping>
33    <filter-mapping>
34        <filter-name>Secure RSS Filter</filter-name>
35        <url-pattern>/c/wiki/rss</url-pattern>
36    </filter-mapping>
37    <filter-mapping>
38        <filter-name>Secure RSS Filter</filter-name>
39        <url-pattern>/group/*</url-pattern>
40    </filter-mapping>
41    <filter-mapping>
42        <filter-name>Secure RSS Filter</filter-name>
43        <url-pattern>/user/*</url-pattern>
44    </filter-mapping>


Note that /group, /user already imply private mappings, so there is nothing to change for purely "portlet" driven feeds.

Additonal Note: I added
1        <init-param>
2            <param-name>url-regex-pattern</param-name>
3            <param-value>.+/rss</param-value>
4        </init-param>

so that in the case of the portlet driven feeds, as long as you have its RSS behavior mapped to */rss in the FriendlyURLMapper it'll inherit authentication by this filter config.

Ideally the patterns for /c/blogs/rss, /c/journal/rss, /c/message_boards/rss, /c/tags/rss, /c/wiki/rss should be distinct as being "private" feeds.

I was thinking /c/blogs/secure/rss, /c/journal/secure/rss, /c/message_boards/secure/rss, /c/tags/rss, /c/wiki/secure/rss or something like that.

The reason why this is need is so that "public" feeds continue to work without authentication being forced.

The additional mappings would simply be copies of their non-private mappings:

1        <action path="/blogs/secure/rss" type="com.liferay.portlet.blogs.action.RSSAction" />
2        <action path="/journal/secure/rss" type="com.liferay.portlet.journal.action.RSSAction" />
3        <action path="/message_boards/secure/rss" type="com.liferay.portlet.messageboards.action.RSSAction" />
4        <action path="/tags/secure/rss" type="com.liferay.portlet.tags.action.RSSAction" />
5        <action path="/wiki/secure/rss" type="com.liferay.portlet.wiki.action.RSSAction" />


PS: Make sure to change the filter mappings above to match these mappings now.

This of course would mean small code changes wherever those urls are embedded in the site, such that when the page is a private page the "secure" mapping is output rather than the current default mapping.

I think that about covers it.
Ryan Park
RE: Authentication for private RSS feeds
November 11, 2009 11:04 AM
Answer

Ryan Park

LIFERAY STAFF

Rank: Regular Member

Posts: 111

Join Date: August 27, 2007

Recent Posts

Thanks Ray, this is awesome!

We ran into this problem in Social Office and we have since disabled support for RSS. However in Social Office a lot of pages tend to be public and simply have the guest view permission removed. Would these feeds also be accommodated to work under your system?

Thanks!
Ray Augé
RE: Authentication for private RSS feeds
November 11, 2009 11:16 AM
Answer

Ray Augé

LIFERAY STAFF

Rank: Liferay Legend

Posts: 1195

Join Date: February 7, 2005

Recent Posts

In that case, you'd simply also include mappings that are normally "public":

 1[b]<!-- Add public mappings so they force authentication (i.e. SO) -->
 2    <filter-mapping>
 3        <filter-name>Secure RSS Filter</filter-name>
 4        <url-pattern>/c/blogs/rss</url-pattern>
 5    </filter-mapping>
 6    <filter-mapping>
 7        <filter-name>Secure RSS Filter</filter-name>
 8        <url-pattern>/c/journal/rss</url-pattern>
 9    </filter-mapping>
10    <filter-mapping>
11        <filter-name>Secure RSS Filter</filter-name>
12        <url-pattern>/c/message_boards/rss</url-pattern>
13    </filter-mapping>
14    <filter-mapping>
15        <filter-name>Secure RSS Filter</filter-name>
16        <url-pattern>/c/tags/rss</url-pattern>
17    </filter-mapping>
18    <filter-mapping>
19        <filter-name>Secure RSS Filter</filter-name>
20        <url-pattern>/c/wiki/rss</url-pattern>
21    </filter-mapping>
22    <filter-mapping>
23        <filter-name>Secure RSS Filter</filter-name>
24        <url-pattern>/web/*</url-pattern>
25    </filter-mapping>[/b]
26
27        <!-- Private mappings that should always be authenticated -->
28    <filter-mapping>
29        <filter-name>Secure RSS Filter</filter-name>
30        <url-pattern>/c/blogs/secure/rss</url-pattern>
31    </filter-mapping>
32    <filter-mapping>
33        <filter-name>Secure RSS Filter</filter-name>
34        <url-pattern>/c/journal/secure/rss</url-pattern>
35    </filter-mapping>
36    <filter-mapping>
37        <filter-name>Secure RSS Filter</filter-name>
38        <url-pattern>/c/message_boards/secure/rss</url-pattern>
39    </filter-mapping>
40    <filter-mapping>
41        <filter-name>Secure RSS Filter</filter-name>
42        <url-pattern>/c/tags/secure/rss</url-pattern>
43    </filter-mapping>
44    <filter-mapping>
45        <filter-name>Secure RSS Filter</filter-name>
46        <url-pattern>/c/wiki/secure/rss</url-pattern>
47    </filter-mapping>
48    <filter-mapping>
49        <filter-name>Secure RSS Filter</filter-name>
50        <url-pattern>/group/*</url-pattern>
51    </filter-mapping>
52    <filter-mapping>
53        <filter-name>Secure RSS Filter</filter-name>
54        <url-pattern>/user/*</url-pattern>
55    </filter-mapping>


Nothing else should be required.
Jorge Ferrer
RE: Authentication for private RSS feeds
November 11, 2009 1:18 PM
Answer

Jorge Ferrer

LIFERAY STAFF

Rank: Liferay Legend

Posts: 2768

Join Date: August 31, 2006

Recent Posts

Looks good to me.

This is a feature I've been wanting to have for a long time, thanks a lot Ray!
Ray Augé
RE: Authentication for private RSS feeds
November 11, 2009 7:06 PM
Answer

Ray Augé

LIFERAY STAFF

Rank: Liferay Legend

Posts: 1195

Join Date: February 7, 2005

Recent Posts

You and me both! emoticon
Matthew Ropp
RE: Authentication for private RSS feeds
November 25, 2009 1:39 PM
Answer

Matthew Ropp

Rank: Junior Member

Posts: 76

Join Date: August 5, 2009

Recent Posts

Ray-

Will this be making an appearance in an upcoming release? I assume this would allow me to use Liferay's built-in RSS portlet to read RSS feeds for message boards, etc that are on private pages?

Thanks-

Matthew
Ray Augé
RE: Authentication for private RSS feeds
November 25, 2009 1:50 PM
Answer

Ray Augé

LIFERAY STAFF

Rank: Liferay Legend

Posts: 1195

Join Date: February 7, 2005

Recent Posts

Good question!

I'll have to test that scenario. Currently the RSS Portlet is not that sophisticated. I'll have to confirm that either way.

Really what we're targeting are desktop clients. But it surely isn't our intention to block any kind of specific use cases.


Note: Even google reader doesn't support authenticated feeds based on my last check... if it does please tell me how!!! Although if our own RSS Portlet supported authenticated feeds, I might use it instead, and load it as a desktop widget!!! OHHH now I'm really intrigued.
Matthew Ropp
RE: Authentication for private RSS feeds
November 25, 2009 2:10 PM
Answer

Matthew Ropp

Rank: Junior Member

Posts: 76

Join Date: August 5, 2009

Recent Posts

Thanks Ray.

We'd really love to be able to have users add an RSS feed on their private page that shows the entries for a message board that is on a (private) org page.

Matthew
Ray Augé
RE: Authentication for private RSS feeds
November 25, 2009 2:12 PM
Answer

Ray Augé

LIFERAY STAFF

Rank: Liferay Legend

Posts: 1195

Join Date: February 7, 2005

Recent Posts

Sounds like a good plan!

The solution just requires testing really.. so when I have some time, I'll give it more thorough test and then hopefully commit it.
Lari Tuominen
RE: Authentication for private RSS feeds
February 15, 2010 1:20 AM
Answer

Lari Tuominen

Rank: Expert

Posts: 283

Join Date: November 7, 2007

Recent Posts

Hi Ray,

Any news on this one? Looking for the same feature as Matthew above.

- Lari
Jeremy Wier
RE: Authentication for private RSS feeds
February 16, 2011 9:12 AM
Answer

Jeremy Wier

Rank: New Member

Posts: 9

Join Date: October 15, 2009

Recent Posts

The issue we are having is with RSS on the Activities portlet. I know there are existing issues being worked with regards to subscribing, but this is related to public vs private activities. I have placed an Activities portlet on the public home page of a community and activities for adding documents to the doc lib, forum posts, etc show up there even though these features are on private pages. I can then right click the subscribe link and copy the URL into my Outlook RSS Feed reader and am subscribed. However, nothing appears in the reader since all the activities come from private pages.

Not sure if the solution above would fix this or if anyone knows of any other way around this besides, obviously, moving the doc lib and forums to public pages, but that is not an option with some of our communities.

Thanks!