Foros de discusión

Liferay login with both screenname and email id for authentication

Raj Aryan, modificado hace 10 años.

Liferay login with both screenname and email id for authentication

New Member Mensajes: 22 Fecha de incorporación: 22/12/11 Mensajes recientes
Hi,

How to use liferay authentication mechanisum integrated with LDAP to use both screenname or email?
We have a requirement to support legacy IDs which are just the user name - "mylogin" and email id - "mylogin@abc.com". Right now, liferay Portal settings allows just one option. Email or screename or userid or autogenerate ID.
Can someone please help?

This is what I have done so far:
hook.xml:
login.events.pre=com.PreLogin

Created PreLogin Hook and it is working:

public class PreLogin extends Action {
public void run(HttpServletRequest request, HttpServletResponse response) throws ActionException {
String userId = request.getRemoteUser();
System.out.println(userid);
}
}

I see userid printed, so I'm confused if this hook is prelogin or postlogin. Also I'm unable to get the loginid and password entered in login page.
So I need help on how to get id/password.


Thanks,
Raj
thumbnail
David H Nebinger, modificado hace 10 años.

RE: Liferay login with both screenname and email id for authentication

Liferay Legend Mensajes: 14914 Fecha de incorporación: 2/09/06 Mensajes recientes
So let's see. Authentication systems all over the world use one or the other, but never both.

But someone has given you a requirement to support both.

Perhaps you should just tell them they have no idea what they're doing.

It may be easier to digest if you tell them that it is always best to use a single form as it enforces consistency and removes ambiguity from the login process. Explain how many people will typically try to use email addresses for usernames (that way you tend not to forget if you should use an email or a login name, since login is email it's always email address).

Maybe then you can explain how it may be difficult to deal with conflicts (user has an LDAP record w/ just a screen name, but they also have an LDAP record with an email address, how user would have two accounts in Liferay and, depending upon how he logged in, he may or may not see the data he was expecting, but he's contacting your help desk because sometimes his stuff disappears and no one there realizes it's because he's switching between two valid accounts).

At the end of the day, allowing for both types of authentication is merely an attempt to avoid cleaning up your LDAP. You will be much better served by saying it's not possible (which it technically would be as long as you were willing to re-write chunks of Liferay code and maintain it yourself going forward) and suggesting they clean the LDAP up.
thumbnail
Milen Dyankov, modificado hace 10 años.

RE: Liferay login with both screenname and email id for authentication

Expert Mensajes: 310 Fecha de incorporación: 30/10/12 Mensajes recientes
David H Nebinger:
So let's see. Authentication systems all over the world use one or the other, but never both.


I completely disagree! A lot of telecommunication companies will allow customers to log in by either login, e-mail, MSISDN or customer number. I have also seen cases where in addition to that they support login by token sent as SMS message.
thumbnail
David H Nebinger, modificado hace 10 años.

RE: Liferay login with both screenname and email id for authentication

Liferay Legend Mensajes: 14914 Fecha de incorporación: 2/09/06 Mensajes recientes
Milen Dyankov:
David H Nebinger:
So let's see. Authentication systems all over the world use one or the other, but never both.


I completely disagree! A lot of telecommunication companies will allow customers to log in by either login, e-mail, MSISDN or customer number. I have also seen cases where in addition to that they support login by token sent as SMS message.


Thanks, Milen, for reminding me that not everyone lives in my little nice and clean world... emoticon
Raj Aryan, modificado hace 10 años.

RE: Liferay login with both screenname and email id for authentication

New Member Mensajes: 22 Fecha de incorporación: 22/12/11 Mensajes recientes
I tried few different approaches.
1. Login Hook
2. Auth Pipeline override

With both approaches, I was able to authenticate or get user info, check for ID type used (email vs screenname) and authenticate. But user with other loginid type than the default one is unable to login.

Example:
Say my default auth schema is email address. When I login, my hook verifies the user and authenticates, return success and user logs in when we use emailid as login id. If i execute same method and logic for screenname, hook returns success but liferay redirect the request back to login page.

Any help on this is much approceited.
thumbnail
David H Nebinger, modificado hace 10 años.

RE: Liferay login with both screenname and email id for authentication

Liferay Legend Mensajes: 14914 Fecha de incorporación: 2/09/06 Mensajes recientes
What version of liferay? If you're not on a later version (6.1.2 ga3), you may want to consider an update...
Raj Aryan, modificado hace 10 años.

RE: Liferay login with both screenname and email id for authentication

New Member Mensajes: 22 Fecha de incorporación: 22/12/11 Mensajes recientes
Thanks Dave, I tried to upgrade to GA3 and I am facing wierd issue with context loading.

In GA1 and GA2 , we were using context.xml.default placed under liferay-portal-6.1.2-ce-ga3\tomcat-7.0.40\conf\Catalina\localhost and it works fine in all our env. When I did same setup on GA3, server starts up but unable to read the context and hence throwing errors for all my JNDI resource names. It says "JNDI name not found jdbc/testDS.

Do we need to configure context differently on TC 7.0.40?

I also tried copying context.xml under my project META-INF file, adding resource-ref entry in server.xml but no luck.

Any help/suggestion are much appreciated
thumbnail
David H Nebinger, modificado hace 10 años.

RE: Liferay login with both screenname and email id for authentication

Liferay Legend Mensajes: 14914 Fecha de incorporación: 2/09/06 Mensajes recientes
Tomcat 7 is not a requirement. You can use tomcat 6 if that's where your config works.
Raj Aryan, modificado hace 10 años.

RE: Liferay login with both screenname and email id for authentication

New Member Mensajes: 22 Fecha de incorporación: 22/12/11 Mensajes recientes
Ok, here is what I did so far with respect to Tomcat 7 and Liferay GA3.

As you all know, by default GA3 comes with TC7.0.40 nd this is throwing Datasource not found error. I changed tomcat folder inside GA3 to TC7.0.27 which is in my tomcat inside GA2 version and started the server. It works fine since it still usesGA2 jar files under lib/ext and ROOT/WEB-INF/lib .

Now i took ext/* and ROOT/WEB-INF/lib , tld from tomcat which came in GA3 by default and copied to 7.0.27 under GA3 and started the server. Note that I didn't change any jar related to tomcat so tomcat is still 7.0.27.
When I start my server now with GA3 Liferay with TC7.0.27, I get same errors as before and it is related to datasource missing (JNDI names) which are defined in context.xml.default

Looks like GA3 portlet jar files have some issue here which doesn't pickup context.xml.default under liferay-portal-6.1.2-ce-ga3\tomcat-7.0.27\conf\Catalina\localhost
James Fadeley, modificado hace 9 años.

RE: Liferay login with both screenname and email id for authentication

New Member Mensajes: 4 Fecha de incorporación: 13/09/13 Mensajes recientes
Hey, question. You mention using a wrapper to allow for authentication against both email and screen name. Which wrapper exactly? I'm guessing not UserLocalServicesWrapper...
thumbnail
Milen Dyankov, modificado hace 9 años.

RE: Liferay login with both screenname and email id for authentication

Expert Mensajes: 310 Fecha de incorporación: 30/10/12 Mensajes recientes
James Fadeley:
Hey, question. You mention using a wrapper to allow for authentication against both email and screen name. Which wrapper exactly? I'm guessing not UserLocalServicesWrapper...


I think he meant to use a service wrapper hook! However, while this may work, I don't recommend this approach as is it effectively changes the behavior of an existing and well defined method. What I would personally do instead is use a custom AutoLoginHook like we already do for CAS, Facebook, OpenSSO, "Remember me", ...!
James Fadeley, modificado hace 9 años.

RE: Liferay login with both screenname and email id for authentication

New Member Mensajes: 4 Fecha de incorporación: 13/09/13 Mensajes recientes
Milen Dyankov:
James Fadeley:
Hey, question. You mention using a wrapper to allow for authentication against both email and screen name. Which wrapper exactly? I'm guessing not UserLocalServicesWrapper...


I think he meant to use a service wrapper hook! However, while this may work, I don't recommend this approach as is it effectively changes the behavior of an existing and well defined method. What I would personally do instead is use a custom AutoLoginHook like we already do for CAS, Facebook, OpenSSO, "Remember me", ...!



Yep! That's what I meant. And we will eventually have to do an AutoLoginHook to integrate CAS with our portal. For the time being, we want to use a service wrapper hook.

Anyway, we followed that tutorial. We set up a wrapper, changed liferay-hook.xml so it references it. When the log starts, the service is started. However, when 'fetchUserByScreenName' is called, our custom Service wrapper hook is ignored. Any advice?

And thank you for your help!
James Fadeley, modificado hace 9 años.

RE: Liferay login with both screenname and email id for authentication

New Member Mensajes: 4 Fecha de incorporación: 13/09/13 Mensajes recientes
Change of direction. I'm having the exact same problem that Raj Aryan was. Authentication succeeds but actual login to the user fails.
Raj Aryan, modificado hace 10 años.

RE: Liferay login with both screenname and email id for authentication

New Member Mensajes: 22 Fecha de incorporación: 22/12/11 Mensajes recientes
I agree with Milen. Supporting just 1 auth system is not a standard and doesn't fit in to the real world scenarios. I understand your point on users getting confused with email vs screenname etc.. but we are talking of scenarios where current users who are already using screenname or login name would never want to change the login to email. We can enforce any new user to use email id as their login but we can't force existing users to migrate to emailid. This is not practically possible if you have 10000+ users.
We need to support legacy users(username/screename) and new users(emailid).

I recommend liferay should enable default support to dual auth schemes.

Thanks MIlen, I will try your approach and try to implement it.
thumbnail
vipin bardia, modificado hace 10 años.

RE: Liferay login with both screenname and email id for authentication

Regular Member Mensajes: 162 Fecha de incorporación: 28/02/11 Mensajes recientes
Hi Raj,

You need to create a service wrapper hook and override method - authenticateByEmailAddress()

In that method check if user ==null by emailAddress then get user by screenName

e.g.

isAuthbyEmail = super.authenticateByEmailAddress(companyId, emailAddress, password,
headerMap, parameterMap, resultsMap);
if (isAuthbyEmail!=1){
isAuthbyEmail = super.authenticateByScreenName(companyId, emailAddress, password, headerMap, parameterMap, resultsMap);
}

Regards,
Vipin Bardia
thumbnail
David H Nebinger, modificado hace 8 años.

RE: Liferay login with both screenname and email id for authentication

Liferay Legend Mensajes: 14914 Fecha de incorporación: 2/09/06 Mensajes recientes
Sure, let me crank that out so you can get paid for my work, just give me a moment or two...

Seriously though we're not here for you to outsource your job to us as minions to do the work for free. We will typically provide guidance and suggestions and can help you resolve problems, but in the end it will always be up to you to earn your paycheck.
divya goyal, modificado hace 7 años.

RE: Liferay login with both screenname and email id for authentication

New Member Mensajes: 7 Fecha de incorporación: 11/11/14 Mensajes recientes
Hi David,

Can you please guide me with the authentication process of liferay and how we can customize it using portlet? I want to implement a SSO based solution which will accept valid oauth token, after accepting the oauth token, this token will not have the user password and users password are not being stored in liferay DB.
After authorizing the oauth token and after checking that it came from a trusted source, i want to build a autologin solution to authorize the user to access the portal. I have checked that the user is present in DB/AD or not, but after that how to authorize the user without using the password is where i am stuck on right now. In the Liferay login we can use the loginAction which will in turn call the getAuthenticatedByEmailAddress/getAuthenticatedByScreenName, but both these methods requires the password field which i dont have access to. Now for moving further please guide with the auto login of Portal based on the authorization token.
thumbnail
David H Nebinger, modificado hace 8 años.

RE: Liferay login with both screenname and email id for authentication

Liferay Legend Mensajes: 14914 Fecha de incorporación: 2/09/06 Mensajes recientes
Ramesh Yelda:
Can u please provide the exact login for authenticating using screen name and email address both. Please help ...awaiting for ur early reply


Apparently you didn't get it the first time, Ramesh, so let me include it again...

David H Nebinger:
Sure, let me crank that out so you can get paid for my work, just give me a moment or two...

Seriously though we're not here for you to outsource your job to us as minions to do the work for free. We will typically provide guidance and suggestions and can help you resolve problems, but in the end it will always be up to you to earn your paycheck.
thumbnail
Milen Dyankov, modificado hace 10 años.

RE: Liferay login with both screenname and email id for authentication

Expert Mensajes: 310 Fecha de incorporación: 30/10/12 Mensajes recientes
You need to create custom auto login hook. Here if the description prom portal.properties:

    #
    # Input a list of comma delimited class names that implement
    # com.liferay.portal.security.auth.AutoLogin. These classes will run in
    # consecutive order for all unauthenticated users until one of them returns
    # a valid user id and password combination. If no valid combination is
    # returned, then the request continues to process normally. If a valid
    # combination is returned, then the portal will automatically login that
    # user with the returned user id and password combination.
    #
    # For example, com.liferay.portal.security.auth.RememberMeAutoLogin reads
    # from a cookie to automatically log in a user who previously logged in
    # while checking on the "Remember Me" box.
    #
    # This interface allows deployers to easily configure the portal to work
    # with other SSO servers. See com.liferay.portal.security.auth.CASAutoLogin
    # for an example of how to configure the portal with Yale's SSO server.
    #
    auto.login.hooks=com.liferay.portal.security.auth.CASAutoLogin,com.liferay.portal.security.auth.FacebookAutoLogin,com.liferay.portal.security.auth.NtlmAutoLogin,com.liferay.portal.security.auth.OpenIdAutoLogin,com.liferay.portal.security.auth.OpenSSOAutoLogin,com.liferay.portal.security.auth.RememberMeAutoLogin,com.liferay.portal.security.auth.SiteMinderAutoLogin


Have a look at the source code of some of the existing hooks to see how to implement it.
atul patel, modificado hace 8 años.

RE: Liferay login with both screenname and email id for authentication

Regular Member Mensajes: 192 Fecha de incorporación: 18/11/06 Mensajes recientes
Just saw that you guys are having problems with this. I don't have the code handy anymore but wanted to let you know that this can definitely be done. Wrote the hook a few years ago.

If I recall correctly, here is what I did.

During the the authentication process, I overrode the authByEmail method. The idea was this: with default auth set to email, Check email auth first, if that fails, instead of returning failure, I invoked the the authByScreenName process (either my calling that method, or calling whatever the code inside the method does).

Hope this helps and take it with a grain of salt as I wrote it long ago.