I would like to know if there is an api to find out if the Liferay system is configured for ldap or not. Is there any api exposed by liferay which can give me this information ?
Any help is appreciated
thanks
Lokesh
This is a double ended blade.
1 . If the portal is setup with ldap via configurations in portal-ext.properties then use
Boolean ldapAuthEnabled = Boolean.valueOf(PropsUtil.get("ldap.auth.enabled"));
The above line returns true if ldap auth property is set to true in the ext props file.
2 . If the portal ldap properties are set in the GUI (Control Panel) then you have to retrieve it via Portal/Portlet Props. This can be done via any of the following:
com.liferay.portal.model.PortalPreferences portalPrefs = com.liferay.portal.service.persistence.PortalPreferencesUtil.fetchByO_O(ownerId, ownerType);
com.liferay.portal.model.PortalPreferences portalPrefs = com.liferay.portal.service.persistence.PortalPreferencesUtil.fetchByO_O(ownerId, ownerType, retrieveFromCache);
com.liferay.portal.model.PortalPreferences portalPrefs = com.liferay.portal.service.persistence.PortalPreferencesUtil.fetchByPrimaryKey(portalPreferencesId);
But liferay advices against using the PortalPreferencesUtil:
The persistence utility for the portal preferences service. This
utility wraps PortalPreferencesPersistenceImpl and provides direct
access to the database for CRUD operations. This utility should only
be used by the service layer, as it must operate within a transaction.
Never access this utility in a JSP, controller, model, or other
front-end class.
For a clearer idea, try running this query and inspecting the XML result in the PREFERENCES column:
select * from PORTALPREFERENCES where lower(preferences) like '%ldap%';
You will have to use both of these solutions with an OR condition to get a definite solution.
Related
Suppose that I have a web application. Consider it like a Black-Box for now. I want to use a backend system to limit what a user can view/do on the app.
i.e. Sample users can only do three functions, Premium users can do 10 functions and see more pictures.
What is the best way to do it?
I'm trying to using WSO2 Identity Server, but it doesn't offer this functionality. So I've thought that maybe I can integrate it with the WSO2 API Manager and make an API that limits users' access to a certain resource. But really I cannot find if it's possible do it. Anyone know it?
Please refer to : https://docs.wso2.com/display/IS530/Access+Control+Concepts
1) WSO2IS can act as a coarse grained access manager. Your application will act as a fine grained access mnager.
It means that roles can be defined in WSO2IS, managed and assigned to user. From there Roles assigned to one user can be provided as clains with the identity token generated by WSO2IS and sent to the application.
The application, on the other side, will manage roles to permissions links.
Access control is then done at each request by the application, based on the roles presented in the Identity Token by the user and the Permissions grid based on roles in the application.
2) The access control at the application is a business logic you must implement (or at least configure if it a COTS). It is possible to outsource this logic to WSO2IS as policies on attribute (with Workflows).
Please look at : https://docs.wso2.com/display/IS530/XACML+Architecture
Jeff
I've implemented an application using Moqui Framework. I provided url:http://localhost:8080/fvl-plus-runtime/rest/s1/example/examples
It is getting error like:
User [null] is not authorized for View on AT_REST_PATH [/example/loginexamples/{username}]
You can add ArtifactAuthz records for all users, like the ones already in place for admin users for the REST APIs. In general it is best to secure all API access, and that is how things are setup by default. There are various examples you can follow to see them in action, see the extensive comments in the rest.xml file (the XML Screen for the /rest path).
This feature as been added in commit #44272ba. You are now able to create a new REST service and set require-authentication=anonymous-view or anonymous-all.
See How to create a publicly accessible REST API in Moqui for more details.
I'm currently using openAM to protect a small webapp of mine using a Java EE web agent. Someone tries to access the app, they get redirected to the openAM instance, they login, they go to the app. Simple stuff.
What I'd like is for openAM to pass the username that was successfully used to the web app. It's my understanding that "session attributes" should be used for this. When in the admin, I go to my Java EE webagent and open up the "Application" tab to see the "Session Attributes Processing". I see that HTTP_COOKIE is a choice for fetching.
1) is it the case that I should expect to see the username, if properly set up, as plaintext in the cookie?
2) what value do I enter in the session mapping to get the username? How do I find what value in the data store corresponds to this?
Thanks
We are using HTTP_HEADER with our agents. So if you are already using agents (which sounds like you are), then the following should work for you. In OpenAM web console:
Access Control > Top Level Realm > Agents > Web / J2EE / etc. > click on an agent
Application tab > Profile Attributes Processing section > Profile Attribute Fetch Mode:
Click on the "HTTP_HEADER" choice
Profile Attribute Mapping:
Map Key: [uid] ... Corresponding Map Value: uid
Click Add. It should look like [uid]=uid once you've added it. Add any other mapping you need that matches attributes to your backend authentication system. Ours is ldap.
In your web application, retrieve the HTTP Header elements and look for the token. It should look something like this: AQIC5wM2LY4RfckcedfzxGrgVYevbKR-SgBkuemF4Cmm5Qg.AAJTSQABMDE.
You can then use the OpenAM REST interface to validate and retrieve attributes associated with the token such as user name, password, cn, etc. To retrieve all attributes, the URL would be like this:
http://<OpenAM_Host>:<Port>/<deploy_uri>/identity/attributes?subjectid=AQIC5wM2LY4RfckcedfzxGrgVYevbKR-SgBkuemF4Cmm5Qg.*AAJTSQABMDE.*
You can also specify attributes you want like this:
http://<OpenAM_Host>:<Port>/<deploy_uri>/identity/attributes?subjectid=AQIC5wM2LY4RfckcedfzxGrgVYevbKR-SgBkuemF4Cmm5Qg.*AAJTSQABMDE.*&attributenames=uid&attributenames=userpassword
References:
https://wikis.forgerock.org/confluence/display/openam/Use+OpenAM+RESTful+Services
http://openam.forgerock.org/openam-documentation/openam-doc-source/doc/dev-guide/index/chap-rest.html
1) yes, the agent will create plaintext cookies (and if the user sends malicious ones it will recreate them just fine), however using HTTP_HEADER method to pass on attributes is considered as a better solution (since it's not stored on the client side).
2) Session Attributes Processing only works if you actually stored something in the session. For that you can either use the "User Attribute Mapping to Session Attribute" feature in Authentication All Core Settings or write some custom module to save derivative values. Otherwise if you just want to get the uid of the user, then use Profile Attributes Processing (uid key HTTP_UID value and your app will see a HTTP_UID cookie/header).
I want to support user authentication in a Play Application. It is Web App and I think that the built-in "Secure" module is too simple for my needs. In fact, the user group discusses how the Secure module is really for demonstration purproses. However, how can I develop such a system?
Essentially, the application will allow the user to login and then they will have their own settings and so forth applied throughout the application. There are some pages for which unauthenticated users can view but if the client is authenticated, then the view of those pages will be different. Pretty simple setup but most documentation just refers to the simple Secure module.
If your only special requirement is that some pages be publicly visible, I've got your answer: Play framework: How to require login for some actions, but not all . I just copied the Secure module and made a few small additions.
You can use the PlayPlugins for this. I started to write a plugin which enabled Security in powerful way. It's an migration from BasisSecurity for Grails. At the moment I don't find the time to further development. You can see the current state here https://code.launchpad.net/~opensource21/+junk/permsec.
from your requirements the current authentication module seems enough. If not, what I did for my project was:
Copy the classes from the module (Secure controller, the annotation, the tag) to your project
Extend the controller adding additional functionalities
I don't have my code handy to put samples here, but in general I:
renamed the classes (so apologies if I say one name meaning another, don't remember the original names!)
added methods in Secure Controller to handle OpenId and OAUth authentication
added support methods in my User model that given the Id of a service (Google OpenId, Twitter id, etc) returns an existing user from the DB with that ID, or if it doesn't exists creates and returns a new user linked to that id.
added some flags (like admin, supervisor, etc) to User class
modified the check method in security controller so it checks the values of the annotation with the flags of the user. Something like (pseudocode)
var ok : Boolean = false
ok = ok || (annotation.value == "admin" && currentUser.isadmin)
ok = ok || (annotation.value == "supervisor" && currentUser.issupervisor)
...
added the annotation to the corresponding methods, and added the Secure controller (via #With) tot he classes that require access check
With this I have a secured system, and it seems to work quite well (fingers crossed :P)
Don't know if it could help you but look at the deadbolt module to manage access rights to views/controllers...
http://www.playframework.org/modules/deadbolt-1.0/home
I am creating separate contexts (eg: ou=marketing, ou=finance) in LDAP to store user entries of different departments under different contexts.
I need to set the access control at the creation of each context, such that I can give out the url for each context to an admin user of a particular department and he is capable of connecting to the relevant context using any other application or a LDAP browser and view only the user entries under that particular context, but not the other contexts.
Is the above possible to do? After searching on this, I found that in ApacheDS, it is possible to set access control at partition level, but did not find how to set it in context level.
Further, I have the requirement that my application should be able to connected to any LDAP server (like openLDAP, ApacheDS etc..) that user specifies and perform above operations. So I though of using JNDI for that. Is it possible to achieve what I have mentioned above using JNDI programetically?
I would highly appreciate any help on this. Even a reference would be sufficient.
Thanks in advance.
Hasini.