Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-26803

Introduce a layer for web service access security

    Details

      Description

      Currently, we have different logic protecting different web services (e.g. we have hosts.allowed for certain WS end points, but not others, etc). Therefore, the goal is to add a new security layer that sit between our remote service layer which is performing ACL permission checking and the web service end points (e.g. JSON WS, old JSON, Axis, REST etc). This layer will centralize all our protections so that we don't accidentally introduce holes as we add other WS end points.

      This layer will by default force those who wish to use any WS to authenticate. Only methods that have been explicitly annotated to allow anonymous access will provide anonymous access. Again, as a framework, we cannot assume developers will think about security. Thus, we will secure all first and allow them to open things up.

      This access security layer might be also where we integrate the authentication components (e.g. OAuth server, etc).

        Attachments

        1.
        Implement Digest Verification LPS-27633 Technical Task Closed Tomáš Polešovský  
        2.
        Split web service authentication into verification process and authentication process LPS-27888 Technical Task Closed Michael Saechang  
        3.
        Secure Servlets LPS-27634 Technical Task Closed Tomáš Polešovský  
        4.
        Secure AxisServlet LPS-27635 Technical Task Closed Tomáš Polešovský  
        5.
        Secure old JSON interface (JSONServlet and struts actions extending JSONAction) LPS-27636 Technical Task Closed Tomáš Polešovský  
        6.
        Secure new JSON API - JSONWebServiceServlet LPS-27637 Technical Task Closed Tomáš Polešovský  
        7.
        Secure RemotingServlet LPS-27638 Technical Task Closed Tomáš Polešovský  
        8.
        Secure TunnelServlet LPS-27639 Technical Task Closed Tomáš Polešovský  
        9.
        Secure XMLRPCServlet LPS-27640 Technical Task Closed Tomáš Polešovský  
        10.
        Secure WebDAVServlet LPS-27641 Technical Task Closed Tomáš Polešovský  
        11.
        Abdera for Atom Services doesn't propagate exceptions LPS-27757 Technical Task Closed Igor Spasic (Inactive)  
        12.
        Hook Plugin support for API services verification pipeline LPS-27949 Technical Task Closed Michael Saechang  
        13.
        Include findings from JSONP integration problems LPS-27249 Technical Task Closed Tomáš Polešovský  
        14.
        Service verification layer: support for plugins - remoting-web.xml LPS-27967 Technical Task Closed Raymond Auge  
        15.
        Remove /secure/ contexts from portal and plugins for web service API calls LPS-28052 Technical Task Closed Michael Saechang  
        16.
        Check API verification layer implementation performance LPS-28056 Technical Task Closed Michael Saechang  
        17.
        Method to JSON serialize Throwable LPS-28687 Technical Task Closed SE Support  
        18.
        Remove the old mechanisms for authorizing from WS servlets LPS-28844 Technical Task Closed SE Support  
        19.
        Move WebDAV from /api/webdav context LPS-29108 Technical Task Closed Michael Saechang  
        20.
        Remove RemoteAccess check from SecureFilter LPS-29272 Technical Task Closed Michael Saechang  
        21.
        Deprecate /api/webdav in favor of /webdav using UrlRewrite filter LPS-29295 Technical Task Closed Michael Saechang  
        22.
        Adjust the hosts allowed so that default verification types can happen from any host LPS-29355 Technical Task Closed Michael Saechang  
        23.
        AuthType regression bug after web service verification layer review LPS-29726 Technical Task Closed Michael Saechang  
        24.
        Create authentication endpoints for web services authentication process LPS-29930 Technical Task Closed Tomáš Polešovský  
        25.
        Support custom JSONWS services from plugins LPS-30170 Technical Task Closed Brian Chan  
        26.
        Fix HookHotDeployListener.SUPPORTED_PROPERTIES to contain auth.verifier.pipeline LPS-30283 Technical Task Closed Michael Saechang  

          Activity

            People

            Assignee:
            lawrence.lee Lawrence Lee
            Reporter:
            igor.spasic Igor Spasic (Inactive)
            Recent user:
            Kiyoshi Lee
            Participants of an Issue:
            Votes:
            3 Vote for this issue
            Watchers:
            6 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Packages

                Version Package
                6.2.0 CE M3