Hello, all.
For various reasons, I had to implement a custom login. I did it through a portlet which adds a user id and an unencrypted password to the shared session, and a auto login hook which gets the user id and the password and returns them. The auto login class is below:
What I've found surprising is that the login succeeds even if the password is wrong. So, I suppose I should do the dirty work of authenticating my user (e.g. using UserLocalServiceUtil.authenticateUserById(). My doubts are:
I am actually asking it mostly for curiosity about the internals of Liferay
and to know the consequences of using auto login.
Thanks in advance!
For various reasons, I had to implement a custom login. I did it through a portlet which adds a user id and an unencrypted password to the shared session, and a auto login hook which gets the user id and the password and returns them. The auto login class is below:
public class MyAutoLogin implements AutoLogin {
public String[] login(HttpServletRequest request,
HttpServletResponse response) throws AutoLoginException {
HttpSession session = request.getSession();
String userId = (String) session.getAttribute("myUserid");
String senha = (String) session.getAttribute("myPassword");
String[] dados = new String[] { userId, senha, Boolean.FALSE.toString()};
session.removeAttribute("myUserid");
session.removeAttribute("myPassword");
return dados;
}
}
What I've found surprising is that the login succeeds even if the password is wrong. So, I suppose I should do the dirty work of authenticating my user (e.g. using UserLocalServiceUtil.authenticateUserById(). My doubts are:
- Is this right? Should the login be successful even when the password is wrong?
- if so, what is the purpose of returning both the user Id and the password?
I am actually asking it mostly for curiosity about the internals of Liferay
and to know the consequences of using auto login.Thanks in advance!
