How to add Authentication to Custom Rest on Liferay 7 CE

留言板

Sunit Chatterjee，修改在6 年前。

How to add Authentication to Custom Rest on Liferay 7 CE

Junior Member 帖子: 28 加入日期: 17-5-18 最近的帖子

I have created a custom REST application on liferay 7.0 CE.
However it does not requires any authentication and I can access it without any authentication.
What should I do so that my custom rest application also goes through the liferay authentication mechanism.

Here is what I did

Created a new Liferay Module of type "Rest". (Name of module is "test")
Gave Application path as "/"
Application is exposed by the relative URL - "/o/test/*"

Below are the details of application class and the configuration files

Application class looks like this

@ApplicationPath("/")
@Component(immediate = true, property = {"jaxrs.application=true"}, service = Application.class)
public class RestApplication extends Application {
 /* some methods here */ 
}

src/main/resources/configuration/com.liferay.portal.remote.cxf.common.configuration.CXFEndpointPublisherConfiguration-cxf

contextPath=/test
authVerifierProperties=auth.verifier.PortalSessionAuthVerifier.urls.includes=*

src/main/resources/configuration/com.liferay.portal.remote.rest.extender.configuration.RestExtenderConfiguration-rest

contextPaths=/test
jaxRsServiceFilterStrings=(component.name=com.test.app.application.RestApplication)
jaxrs.applications.filters=(jaxrs.application=true)

I debugged the AuthVerifier code, and I found that in the class PortalSessionAuthVerifier, following code gets executed and it returns AuthVerifierResult with a state of State.NOT_APPLICABLE.
Since PortalUtil.getUser(request) returns as null.

AuthVerifierResult authVerifierResult = new AuthVerifierResult();
HttpServletRequest request = accessControlContext.getRequest();
User user = PortalUtil.getUser(request);
if ((user == null) || user.isDefaultUser()) {
     return authVerifierResult;
}

I could only think of following option - Create a new AuthVerifer that extends from PortalSessionAuthVerifier. And then in case of null user, I would return a State of INVALID_CREDENTIALS instead of NOT_APPLICABLE.
I am not sure if that's the right way to do it.

Please provide me some suggestions on how can I add the liferay authentication to these custom REST Application.

Sunit Chatterjee，修改在6 年前。

RE: How to add Authentication to Custom Rest on Liferay 7 CE (答复)

Junior Member 帖子: 28 加入日期: 17-5-18 最近的帖子

My custom Rest URL was /o/test/*

I was finally able to implement it in this way

Wrote a custom Auth Verifier

@Component(
		immediate = true,
		property = {
			"auth.verifier.MyCustomAuthVerifier.urls.includes=*"
		}
	)
public class MyCustomAuthVerifier implements AuthVerifier{
 // Custom code here 
 // I check if user is logged in or not
 // If not logged in then I send an AuthVerifierResult with a state of INVALID_CREDENTIALS instead of NOT_APPLICABLE

}

Added Auth Verifier to my the CXF Endpoint configuration

contextPath=/test
authVerifierProperties=auth.verifier.MyCustomAuthVerifier.urls.includes=*

Added a custom Servlet Filter

@Component(
	immediate = true,
	property = {
		"servlet-context-name=", "servlet-filter-name=MyCustom Auth Filter",
		"url-pattern=/o/test/*"
	},
	service = Filter.class
)
public class MyCustomServletFilter implements Filter {
  // Custom code here
  // In the servlet filter, I check if for the State of AuthVerifierResult. 
  // If State is not SUCCESS, I set the HTTP Response status as 401 (Unauthorized)
}

Martina Macova，修改在6 年前。

RE: How to add Authentication to Custom Rest on Liferay 7 CE

New Member 发布: 1 加入日期: 17-3-14 最近的帖子

Thank you for your suggested solution. It works fine, but one think - how to order my custom filter after my custom AuthVerifier is initialized? Now, doFilter method is called before verify method. I suppose, that my custom verifier is initialized and called from AuthVerifierFilter.

Brad Worsfold，修改在6 年前。

RE: How to add Authentication to Custom Rest on Liferay 7 CE

New Member 帖子: 4 加入日期: 17-8-14 最近的帖子

So, is this truly the only way to authenticate a jax rs service? No other options or built in AuthVerifier classes? There doesn't seem to be much documentation on this.

Christoph Rabel，修改在6 年前。

RE: How to add Authentication to Custom Rest on Liferay 7 CE

Liferay Legend 帖子: 1554 加入日期: 09-9-24 最近的帖子

You can add a CustomContext Provider.
https://github.com/liferay/com-liferay-portal-workflow/tree/master/portal-workflow-rest

David Nebinger covered it in his blog:
https://web.liferay.com/web/user.26526/blog/-/blogs/rest-custom-context-providers

Basically you create a Custom Context Provider and return it in the getSingletons method of your Application. You can then use @Context User user to get the user. Works pretty well.

bernd kopinits，修改在5 年前。

RE: How to add Authentication to Custom Rest on Liferay 7 CE

Junior Member 帖子: 28 加入日期: 14-12-8 最近的帖子

Hello,

so quite some time has passed. Does Liferay provide out-of-the-box implementations for authentication for Custom Rest in the meantime? Maybe in the Enterprise version?

Ideally something like Service Guard for DXP would be great. Just writing an annotation like @RegularRole(“RegRole1”) on top of an endpoint seems pretty handy.

Thanks, Bernd

moritz löser，修改在5 年前。

RE: How to add Authentication to Custom Rest on Liferay 7 CE

Junior Member 帖子: 25 加入日期: 17-8-17 最近的帖子

The only thing i do every time is to set

"authVerifierProperties=auth.verifier.PortalSessionAuthVerifier.urls.includes=*"

Now i can just inject "@Context HttpServletRequest" in my rest methods and with "PortalUtil.getUser(request)" i can get the user. And "user.isDefaultUser()" tells if user is logged in.

You could also have an additional auth.verifier. In some cases a additionaly set the BasicAuthVerifier. Then your service can be used from within the portal but also from everywhere (as microservice). You hab only to authenticate via AuthHeader.