Hi Ying,
There is certainly no need to apologize for your English. I have a son who is now 7 and is in the process of learning how to read and write English (obviously he speaks it fluently). Helping him with his homework has made me realize just how stupid (and difficult) the English language is to learn -- especially when I compare it to other languages I speak (French and Spanish). But that's a topic for another thread
Ok. now that you have given a little more detail I think the correct answer to your question is that you are going about it wrong. Here is how I would change your solution (if possible). Liferay provides a solution for adding custom (plugins) to the Control Panel. For things that require the Administrator role, you should create these modules using this technique. In earlier versions of Liferay these were called, as I mentioned "Control Panel Portlets" -- but the new nomenclature to use in Liferay 7 is a "Panel App". There is blade template that you can use as a starter and you can learn more about how to build a panel app here: https://dev.liferay.com/develop/reference/-/knowledge_base/7-0/panel-app-template. Using this approach means that you don't have to use a private page to host your admin portlets.
Now, for the second part. Don't map /web/* to secured resources -- that is why you have the /group/* mapping. The correct implementation would be to leave your public assets on the /web/* (public pages) and then anything that requires a login to hide behind the /group/* -- this way you can use the default security pipeline in Liferay and the expected behaviour. It's important to consider not just the problem you are solving today but also what kind of pain you bring to yourself in the future when you go to upgrade -- twisting the portal like this will make a mess.
... So that is how you do it right. If you are hell bent on doing it wrong (I surely hope that you are not), then I would use a proxy to route accordingly. You could register your own struts action to do your custom authentication, and then use the proxy to handle the routing. So your admin page would continue to be protected by /c/portal/login, but then your /web/* would be routed to /c/portal/customauth (or whatever you use for your pattern). Then you would need to make sure that whatever is required to check for a valid session exists. The thing is that the /web/* mapping doesn't require the auth pipeline to be executed so I imagine that you are going to have a nightmare of a time with distinct user sessions and the like. Most of the time custom authentication is paired with Liferay so that authentication may be handled by an external tool (let's say an OAuth service for example) but then once successful, an auto login occurs at Liferay. I'm not sure you can trigger and auto-login for the /web/* url pattern. I suppose you could change the servlet filters so that /public/* was used for public pages and /web/* was using in place of /group/* but honestly that is just more mess to contend with later.
I would strongly advise that you do it the right way.
There is certainly no need to apologize for your English. I have a son who is now 7 and is in the process of learning how to read and write English (obviously he speaks it fluently). Helping him with his homework has made me realize just how stupid (and difficult) the English language is to learn -- especially when I compare it to other languages I speak (French and Spanish). But that's a topic for another thread
Ok. now that you have given a little more detail I think the correct answer to your question is that you are going about it wrong. Here is how I would change your solution (if possible). Liferay provides a solution for adding custom (plugins) to the Control Panel. For things that require the Administrator role, you should create these modules using this technique. In earlier versions of Liferay these were called, as I mentioned "Control Panel Portlets" -- but the new nomenclature to use in Liferay 7 is a "Panel App". There is blade template that you can use as a starter and you can learn more about how to build a panel app here: https://dev.liferay.com/develop/reference/-/knowledge_base/7-0/panel-app-template. Using this approach means that you don't have to use a private page to host your admin portlets.
Now, for the second part. Don't map /web/* to secured resources -- that is why you have the /group/* mapping. The correct implementation would be to leave your public assets on the /web/* (public pages) and then anything that requires a login to hide behind the /group/* -- this way you can use the default security pipeline in Liferay and the expected behaviour. It's important to consider not just the problem you are solving today but also what kind of pain you bring to yourself in the future when you go to upgrade -- twisting the portal like this will make a mess.
... So that is how you do it right. If you are hell bent on doing it wrong (I surely hope that you are not), then I would use a proxy to route accordingly. You could register your own struts action to do your custom authentication, and then use the proxy to handle the routing. So your admin page would continue to be protected by /c/portal/login, but then your /web/* would be routed to /c/portal/customauth (or whatever you use for your pattern). Then you would need to make sure that whatever is required to check for a valid session exists. The thing is that the /web/* mapping doesn't require the auth pipeline to be executed so I imagine that you are going to have a nightmare of a time with distinct user sessions and the like. Most of the time custom authentication is paired with Liferay so that authentication may be handled by an external tool (let's say an OAuth service for example) but then once successful, an auto login occurs at Liferay. I'm not sure you can trigger and auto-login for the /web/* url pattern. I suppose you could change the servlet filters so that /public/* was used for public pages and /web/* was using in place of /group/* but honestly that is just more mess to contend with later.
I would strongly advise that you do it the right way.