掲示板
IP address and User-Agent security check
13年前 に Martin Raie によって更新されました。
IP address and User-Agent security check
New Member 投稿: 1 参加年月日: 10/10/22 最新の投稿
Hi,
I need a security option that during one session user would not be allowed to access Liferay from different IP addresses or different User-Agents. Is there something like that implemented in Liferay and how could I switch it on?
Regards,
Martin
I need a security option that during one session user would not be allowed to access Liferay from different IP addresses or different User-Agents. Is there something like that implemented in Liferay and how could I switch it on?
Regards,
Martin
13年前 に Corné Aussems によって更新されました。
RE: IP address and User-Agent security check
Liferay Legend 投稿: 1313 参加年月日: 06/10/03 最新の投稿
You should take care of such requirements yourself;
one place to look is to implement your own com.liferay.portal.security.auth.Authenticator;
in combination with the com.liferay.portal.events.SessionCreateAction and SessionDestroyAction
you could invalidate a session from a bagof sessions that you keep;
another approach is to learn from PortletSessionTracker or learn from the code
\portal-web\docroot\html\portlet\enterprise_admin\view_monitoring.jsp
or implement your own J2EE sessionlistener
one place to look is to implement your own com.liferay.portal.security.auth.Authenticator;
##
## Authentication Pipeline
##
#
# Input a list of comma delimited class names that implement
# com.liferay.portal.security.auth.Authenticator. These classes will run
# before or after the portal authentication begins.
#
# The Authenticator class defines the constant values that should be used
# as return codes from the classes implementing the interface. If
# authentication is successful, return SUCCESS; if the user exists but the
# passwords do not match, return FAILURE; and if the user does not exist on
# the system, return DNE.
#
# Constants in Authenticator:
# public static final int SUCCESS = 1;
# public static final int FAILURE = -1;
# public static final int DNE = 0;
#
# In case you have several classes in the authentication pipeline, all of
# them have to return SUCCESS if you want the user to be able to login. If
# one of the authenticators returns FAILURE or DNE, the login fails.
#
# Under certain circumstances, you might want to keep the information in the
# portal database in sync with an external database or an LDAP server. This
# can easily be achieved by implementing a class via LDAPAuth that updates
# the information stored in the portal user database whenever a user signs
# in.
#
# Each portal instance can be configured at run time to either authenticate
# based on user ids or email addresses. See the Admin portlet for more
# information.
#
# Available authenticators are:
# com.liferay.portal.security.auth.LDAPAuth
#
# See the LDAP properties to configure the behavior of the LDAPAuth class.
#
auth.pipeline.pre=com.liferay.portal.security.auth.LDAPAuth
#auth.pipeline.post=
in combination with the com.liferay.portal.events.SessionCreateAction and SessionDestroyAction
#
# Servlet session create event
#
servlet.session.create.events=com.liferay.portal.events.SessionCreateAction
#
# Servlet session destroy event
#
servlet.session.destroy.events=com.liferay.portal.events.SessionDestroyAction
you could invalidate a session from a bagof sessions that you keep;
another approach is to learn from PortletSessionTracker or learn from the code
\portal-web\docroot\html\portlet\enterprise_admin\view_monitoring.jsp
Map<string, usertracker> sessionUsers = LiveUsers.getSessionUsers(company.getCompanyId());</string,>
or implement your own J2EE sessionlistener