« Development (Legacy) に戻る

Acegi Security for Liferay

Introduction #

This article describes one way to use Acegi Security System for Spring for authentication and authorization in Liferay (version 4.1.2).

Authorization #

Protect URLs by Acegi Security #

One nice feature of Acegi Security is that you can easily implement different authentication schemes. I've set up Acegi to use CAS, but you can also use form based login or something else.

  • add acegi-security.jar to ext/ext-lib/portal
  • Add the following entries to ext/web-sites/liferay.com-web/docroot/WEB-INF/web.xml (be sure to put the entries at the correct position in web.xml):
	<context-param>
		<param-name>contextConfigLocation</param-name>
		<param-value>/WEB-INF/applicationContext-acegi-security-cas.xml</param-value>
	</context-param>

	<filter>
		<filter-name>Acegi Filter Chain Proxy</filter-name>
		<filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
		<init-param>
			<param-name>targetClass</param-name>
			<param-value>org.acegisecurity.util.FilterChainProxy</param-value>
		</init-param>
	</filter>

	<filter-mapping>
		<filter-name>Acegi Filter Chain Proxy</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>
  • Now configure Acegi Security in ext/ext-web/docroot/WEB-INF/applicationContext-acegi-security-cas.xml as described in the Acegi Security documentation to use the authentication scheme of your choice. The only Liferay specific part is to define the URLs to protect:
	<!-- +++++++++ Enforce Security based on URLs  +++++++++ -->

	<!-- Intercept access to specified URLs and enforce security -->
	<bean id="filterInvocationInterceptor"
		class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
		<property name="authenticationManager">
			<ref local="authenticationManager" />
		</property>
		<property name="accessDecisionManager">
			<ref local="accessDecisionManager" />
		</property>
		<property name="objectDefinitionSource">
			<value>
				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
				\A/c/portal/login\Z=ROLE_AUTHENTICATED
				\A/c/portal/logout\Z=ROLE_AUTHENTICATED
				\A/c/portal/layout.*\Z=ROLE_AUTHENTICATED
				\A/group/.*\Z=ROLE_AUTHENTICATED
			</value>
		</property>
	</bean>

Tell Liferay to look for Acegi's Security Principal #

Now we have to tell Liferay to look for and accept a Security Principal from Acegi Security. This is very similar to a setup using CAS or LDAP Authentication.

  • Add a auto login hook to portal-ext.properties
    • auto.login.hooks=de.abas.liferay.portal.auth.AcegiAutoLogin

AcegiAutoLogin has following tasks:

  • Check whether the current user is authenticated
    • if not, return null to signal Liferay it has to take over the authentication process
  • Check whether the user is registered in Liferay
    • if not, fetch user data (e.g. from LDAP) and create an account in Liferay
  • get and return the users credentials from Liferay

The main method of AcegiAutoLogin looks like this:

    public String[] login(HttpServletRequest req, HttpServletResponse res) throws AutoLoginException {
        SecurityContext context = SecurityContextHolder.getContext();
        Authentication auth = context.getAuthentication();
        if ((auth == null) || (!auth.isAuthenticated()) || (auth.getName() == null)) {
            // user is not authenticated via Acegi
            // or no user id is provided
            // normal Liferay login procedure will be executed
            return null;
        }
        String companyId = req.getSession().getServletContext().getInitParameter("company_id");
        try {
            User user = UserLocalServiceUtil.getUserById(auth.getName());
            return updateLiferayAccount(auth.getName(), user, companyId);
        } catch (Exception e) {
            // user account not found in Liferay
            return updateLiferayAccount(auth.getName(), null, companyId);
        }
    }

You'll have to add your own implementation of updateLiferayAccount to create or update account data with information from your user data store. Useful objects to access user data in Liferay are

  • UserLocalServiceUtil
  • ContactLocalServiceUtil
  • RoleLocalServiceUtil
  • GroupLocalServiceUtil
  • OrganizationLocalServiceUtil

Synchronize data between Liferay and an external user database #

If you have an external user directory (e.g. LDAP) you might want to synchronize the data between the directory and Liferay.

From LDAP to Liferay #

AcegiAutoLogin can be extended to update Liferay's user data on every login. This is done within the call of updateLiferayAccount(auth.getName(), user, companyId) in the code sample above.

From Liferay to LDAP #

If a user ore administrator changes user data from within Liferay the LDAP directory must be updated (otherwise the data will be overridden the next time the user logs in).

I've solved this by adding a Spring AOP AfterReturningAdvice. Add the following snippet to ext/ext-ejb/classes/META-INF/ext-spring-professional.xml:

<!--
  - This TransactionProxyFactoryBean overrides the entry in portal-spring-professional.xml.
  - The difference lays in the post interceptor which propagates certain user data 
  - settings to the LDAP directory.
 -->
<bean id="com.liferay.portal.service.spring.UserService.transaction"
      class="org.springframework.transaction.interceptor.TransactionProxyFactoryBean" 
      lazy-init="true">
	<property name="transactionManager">
	  <ref bean="liferayTransactionManager" />
	</property>
	<property name="target">
	  <ref bean="com.liferay.portal.service.spring.UserService.professional" />
	</property>
	<property name="transactionAttributes">
	  <props>
	    <prop key="*">PROPAGATION_REQUIRED</prop>
	  </props>
	</property>
	<property name="postInterceptors">
 	  <list>
   	    <ref bean="de.abas.liferay.service.impl.UserServiceAfterReturningAdvice"/>
 	  </list>
	</property>
</bean>

UserServiceAfterReturningAdvice implements org.springframework.aop.AfterReturningAdvice. The main method looks like this:

    /**
     * {@inheritDoc}
     *
     * Triggers on the execution of UserService methods modifying user data also
     * kept in the LDAP directory. The data is then modified in LDAP, too.
     *
     * @see org.springframework.aop.AfterReturningAdvice#afterReturning(java.lang.Object,
     *      java.lang.reflect.Method, java.lang.Object[], java.lang.Object)
     */
    public void afterReturning(Object returnValue, Method m, Object[] args, Object target) throws Throwable {
        if (logger.isDebugEnabled()) {
            if (LDAP_SYNCHRONIZATION_ENABLED.booleanValue()) {
                logger.debug("LDAP synchronization disabled in portal-ext.properties.");
            } else {
                logger.debug("Executing UserServiceAfterReturningAdvice.");
            }
        }
        if (!LDAP_SYNCHRONIZATION_ENABLED.booleanValue()) {
            return;
        }
        if (m.getName().equals("updatePassword")) {
            updatePassword(args);
        } else if (m.getName().equals("updateUser")) {
            updateUser(args);
        } else if (m.getName().equals("updatePortrait")) {
            updatePortrait(args);
        }
    }

Using Acegi Security for Authorization #

Next to Authentication you can take advantage of Acegi Security for authorization. I want go into details, but if you are using Spring Portlet MVC you might be interested in this thread.

Related Articles #

Liferay 4.x.x Portal Architecture

Single SignOn - Integrating Liferay With CAS Server

LDAP

0 添付ファイル
46783 参照数
平均 (0 投票)
平均評価は0.0星中の5です。
コメント
コメント 作成者 日時
Hi, Where is this java file ... neelam bhandari 2011/12/21 6:15

Hi,
Where is this java file de.abas.liferay.portal.auth.AcegiAutoLogin in liferay 6?
Thanks
Neelam
投稿日時:11/12/21 6:15