Is it possible to use Liferay Authentication in order to allow or deny access on a directory listing?
In my scenario Liferay is running under Tomcat. What I want is to restrict access on a specific directory and its content (lets say localhost:8080/pdf/). Currently each user is able to access the pdf-directory, which is not my intention.
May I use the current HTTP session?
-------- EDIT ---------
I will try to go more in detail: Under liferay tomcat I defined a new context as shown below.
<Context path="/pdfs" docBase="/Users/marco/Development/liferay/resources/pdfs/"
crossContext="false" debug="0" reloadable="true">
</Context>
The advantage of this is, I easly can access contents of "/pdfs". The disadvantage is, everybody can access "/pdfs".
The question is, how can I restrict access to "/pdfs"? My idea was to use Liferays authentication... but how? How can I restrict access to "/pdfs" to users currently logged into the Liferay application?
Thank you.
I think that the best option is to implement the restrictions in the standard servlet filter, because this functionality is Tomcat-standard feature.
What do you mean using HTTP session? I guess you want to use the Liferay permision-checker system to avoid listing directories, right?
Best regards,
Jorge
With setting the context you bypassed Liferay.
I would suggest another approach. Instead of defining docBase I would store dokument in Liferay Document Library. You have much better control over the content's permissions.
DLFileEntryServiceUtil.addFileEntry(...)
Related
Good morning everyone,
I am developing an app for QNAP which has also a web interface. In my qpkg.conf I set QPKG_WEBUI and QPKG_USE_PROXY and I can see correctly the Web interface inside the QNAP interface once I am logged in. It seems perfectly integrated with the QNAP interface, BUT, I can see it also writing the right url in my web browser, even if I am not logged in the QNAP and I cleared all possible cache/cookies.
I want to give access to my Web interface only to valid users. Unfortunately I do not know how to do it. I tried to write a .htaccess to deploy with my application, but without any success (obviously I can not modify the apache standard configuration, and with the standard configuration I was not able to do it).
The only thing I found, inside the Apache folder, there is a pwauth executable that let me ask for username/password (even if I do not want to ask, I want only to see if the user is ALREADY logged in). Anyway with the standard apache configuration, the external module is not loaded, then I can not use the pwauth inside the .htaccess. Maybe I could create some custom cgi program that call it, but I would prefer to avoid custom solution, I really would like to follow a "standard" way to do it, it should be one.....
I would like to know if there is some QNAP variable to set in the qpkg.conf file, or some configuration to set in a .htaccess that does what I want: grant the access only if the user is ALREADY logged in.
Thanks very much to everyone, I could not find anything in google or in the official documentation.
I'm trying to embed JasperServer into a web application and I like the look and feel of JasperServer's interface as is. I just want to override JasperServer's ACL engine and divert it so it will use my own application's instead.
For starters, if the user is already authenticated in the host web application, JasperServer shouldn't ask for it one more time. More over, whenever JasperServer is trying to decide whether to show or not some part of the interface, it should be the host application's ACL data to grant or deny the permission. The same goes for the list of reports one user can use.
Can someone please guide me to the right direction if and how this is possible?
I would like to make it possible to redirect users from a site to my Moodle installation, providing two encrypted parameters in the url. Based on these parameter, Moodle should authenticate the users and grant or refuse access.
Is anyone familiar with this, and can anyone point me in the right direction?
Should I build a new plug-in, modify index.php ? Both ?
Basically the php code to process the GET-parameters is ready, but I don't know how and where to insert it in the Moodle code.
Cheers for helping, much appreciated
Paul
This is a problem solved many times before. The best option for doing it securely is to use one of the existing auth plugins. If the sites are on the same server or you are happy to allow direct database access so that Moodle can read the password hashes from your other site's DB, then you can use db auth, which is simplest. Otherwise, you'll need some sort of cookie based one. I've used CAS authentication before, but shibboleth is also an option. This may seem like overkill, but really, it isn't. Just having auth tokens in the url leaves you open to brute force password-guessing attacks, so the challenge-response mechanism that these plugins provide is very important.
Currently, I have decided to use Drupal as the primary login area where users can do stuff. Problem is, I want to automatically allow for the logging in of users using their cpanel, whm or whmcs login details. Anyone?
I really don't suggest you to do this.
You will only introduce more risks to all your systems, even if Drupal is a very secure system.
There are sometimes authentication security issues, with cPanel drupal and whmcs. Now, imagine those security issues + the ones of drupal, + the ones on whmcs...
...with all these insecurity layers combined, it's a real security bomb, and not something that will help your customers that much you are going to create. ...plus your modules for this will probably experience someday security issues also.
I suggest to take a look at other web hosts : if they don't do this, and if even whmcs do not bridge with vbulletin on their own website, there is a reason for this! ;-)
There seems to be no module for this.
Also Drupal seems not to provide a direct way to connect 3rd party login systems.
Having a look at the LDAP integration (file ldapauth.module) in the package, you can use the hook hook_form_alter. The check whether the form is using user_login_authenticate_validate in the validate entry and replace it with their own authentication function.
Basically you can use the ldapauth.module file as a basis and start with the ldapauth_login_authenticate_validate function.
In this function you have to add code that uses $form_values['name']; and $form_values['pass'] and verify them against your cPanel database.
A completly different approach would be to write a cPanel module to create Drupal users and update the accounts. To get started you can have a look at writing cPanel modules.
I have a website on Win 2008 and IIS7. Some directories have admin specific pages and I don't want regular site users to be able to access them.
What I would like is, if the user tries to load a page from a specific directory, for the site to popup a windows authentication window if the user has not not already authenticated.
Can this be done? Preferably just by setting web.config keys?
Yes, use <location></location> tags to override the current IIS settings at that level and set new ones.
Reference: http://msdn.microsoft.com/en-us/library/b6x6shw7(v=vs.100).aspx