掲示板

  1. ホーム
  2. Development
  3. IP address and User-Agent security check

IP address and User-Agent security check

13年前 に Martin Raie によって更新されました。

IP address and User-Agent security check

New Member 投稿: 1 参加年月日: 10/10/22 最新の投稿
Hi,

I need a security option that during one session user would not be allowed to access Liferay from different IP addresses or different User-Agents. Is there something like that implemented in Liferay and how could I switch it on?

Regards,
Martin
thumbnail
13年前 に Corné Aussems によって更新されました。

RE: IP address and User-Agent security check

Liferay Legend 投稿: 1313 参加年月日: 06/10/03 最新の投稿
You should take care of such requirements yourself;

one place to look is to implement your own com.liferay.portal.security.auth.Authenticator;

##
## Authentication Pipeline
##

    #
    # Input a list of comma delimited class names that implement
    # com.liferay.portal.security.auth.Authenticator. These classes will run
    # before or after the portal authentication begins.
    #
    # The Authenticator class defines the constant values that should be used
    # as return codes from the classes implementing the interface. If
    # authentication is successful, return SUCCESS; if the user exists but the
    # passwords do not match, return FAILURE; and if the user does not exist on
    # the system, return DNE.
    #
    # Constants in Authenticator:
    #     public static final int SUCCESS = 1;
    #     public static final int FAILURE = -1;
    #     public static final int DNE = 0;
    #
    # In case you have several classes in the authentication pipeline, all of
    # them have to return SUCCESS if you want the user to be able to login. If
    # one of the authenticators returns FAILURE or DNE, the login fails.
    #
    # Under certain circumstances, you might want to keep the information in the
    # portal database in sync with an external database or an LDAP server. This
    # can easily be achieved by implementing a class via LDAPAuth that updates
    # the information stored in the portal user database whenever a user signs
    # in.
    #
    # Each portal instance can be configured at run time to either authenticate
    # based on user ids or email addresses. See the Admin portlet for more
    # information.
    #
    # Available authenticators are:
    #     com.liferay.portal.security.auth.LDAPAuth
    #
    # See the LDAP properties to configure the behavior of the LDAPAuth class.
    #
    auth.pipeline.pre=com.liferay.portal.security.auth.LDAPAuth
    #auth.pipeline.post=


in combination with the com.liferay.portal.events.SessionCreateAction and SessionDestroyAction
    #
    # Servlet session create event
    #
    servlet.session.create.events=com.liferay.portal.events.SessionCreateAction

    #
    # Servlet session destroy event
    #
    servlet.session.destroy.events=com.liferay.portal.events.SessionDestroyAction


you could invalidate a session from a bagof sessions that you keep;

another approach is to learn from PortletSessionTracker or learn from the code
\portal-web\docroot\html\portlet\enterprise_admin\view_monitoring.jsp
Map<string, usertracker> sessionUsers = LiveUsers.getSessionUsers(company.getCompanyId());</string,>


or implement your own J2EE sessionlistener