Liferay authentication and authorization (Siteminder and Custom Tomcat Authorization)

2
votes

I am new to liferay portal. I am afraid, the questions being raised might be simple, but I am not aware. Please clarify.

We are trying to build a Portal using Liferay on Tomcat. This Portal should be authenticated by Netegrity SiteMinder and we have our internal authorization mechanism which is built on tomcat security . I have questions on two areas which I have listed below

  1. Question on Enabling Siteminder in Liferay When siteminder is enabled within Liferay, is it necessary for us to still configure the user in liferay portal to have the siteminder authenticated user get into the portal page.

  2. Authorizations - My objective is to avoid configuring User and Roles and their associations in Liferay. This is because the portal which we want to built should rely on the tomcat security customized framework which is already in place.

I deployed a portlet which has set of links available and these links should be available based on the user permissions. So I configured the users and set of roles in tomcat-users.xml and also defined the role-mapping in liferay-portlet.xml,portlet.xml,web.xml and deployed the portlet and also changed the Realm Configuration in liferay.xml as below 

appName="PortalRealm" userClassNames="com.liferay.portal.security.jaas.PortalPrincipal"

roleClassNames="com.liferay.portal.security.jaas.PortalRole"

debug="99" useContextClassLoader="false"/>

I logged into to Liferay Portal with a user (configured both in liferay and tomcat-users.xml and added the Portlet on the page and see the links are not displayed as the request.isUserInRole("Role x") returned false. When I tried configuring the same role and associated it to the user, I saw the link working. But the expected behaviour is not seen.

Please help me on this. Appreciate a quick response.

Thanks Kalaiarasan

1
tomcatauthorizationliferaysiteminder
"Authorizations - My objective is to avoid configuring User and Roles and their associations in Liferay. This is because the portal which we want to built should rely on the tomcat security customized framework which is already in place." - you may have an issue with this becaues Liferay has the notion of 'communities' which have 'scoped' roles for users. I don't know how well you have this mapped to your 'tomcat based security framework'.Trever Shick
we ended up having to pull in roles,etc into Liferay from our SSO system BTW. Sync is terrible but it does work.Trever Shick
What we did in a similar scenario, with JCAS as SSO server and Liferay 6, was to map the SSO system repository to Liferay's database. In this way we don't need to sync and can use Liferay to manage users.Tony Rad

1 Answers

0
votes

1) Usually users are imported from external auth. tool to Liferay. My experience is based on LDAP (OpenDJ) auth. integration to Liferay. If the users are organized in groups it's also possible to import those groups and associate imported users with those groups. Last step is to give the required permissions to those groups. So you end up with usual Liferay users with appropriate roles, optionally belonging to appropriate groups -- all this coming from your external Tomcat configuration.

2) I'd recommend importing the users and roles you already have in Tomcat to Liferay (and yes, it can be done automatically during authorization by writing some code which imports currently authorized user and his roles). This will give you the flexibility to fine-tune the permissions using the Liferay built-in mechanisms and interfere less with their override. You have also AdvancedSecurityChecker class that you can override to do any custom permissions handling but it's less recommended.

Finally keep in mind upgrades to future Liferay versions. The more of the Liferay functionality you override and customize the harder will be the upgrade.