Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-26803

Introduce a layer for web service access security

    Details

      Description

      Currently, we have different logic protecting different web services (e.g. we have hosts.allowed for certain WS end points, but not others, etc). Therefore, the goal is to add a new security layer that sit between our remote service layer which is performing ACL permission checking and the web service end points (e.g. JSON WS, old JSON, Axis, REST etc). This layer will centralize all our protections so that we don't accidentally introduce holes as we add other WS end points.

      This layer will by default force those who wish to use any WS to authenticate. Only methods that have been explicitly annotated to allow anonymous access will provide anonymous access. Again, as a framework, we cannot assume developers will think about security. Thus, we will secure all first and allow them to open things up.

      This access security layer might be also where we integrate the authentication components (e.g. OAuth server, etc).

        Attachments

        1.
        Implement Digest Verification Technical Task Closed Tomas Polesovsky (topolik)  
        2.
        Split web service authentication into verification process and authentication process Technical Task Closed Michael Saechang  
        3.
        Secure Servlets Technical Task Closed Tomas Polesovsky (topolik)  
        4.
        Secure AxisServlet Technical Task Closed Tomas Polesovsky (topolik)  
        5.
        Secure old JSON interface (JSONServlet and struts actions extending JSONAction) Technical Task Closed Tomas Polesovsky (topolik)  
        6.
        Secure new JSON API - JSONWebServiceServlet Technical Task Closed Tomas Polesovsky (topolik)  
        7.
        Secure RemotingServlet Technical Task Closed Tomas Polesovsky (topolik)  
        8.
        Secure TunnelServlet Technical Task Closed Tomas Polesovsky (topolik)  
        9.
        Secure XMLRPCServlet Technical Task Closed Tomas Polesovsky (topolik)  
        10.
        Secure WebDAVServlet Technical Task Closed Tomas Polesovsky (topolik)  
        11.
        Abdera for Atom Services doesn't propagate exceptions Technical Task Closed Igor Spasic (Inactive)  
        12.
        Hook Plugin support for API services verification pipeline Technical Task Closed Michael Saechang  
        13.
        Include findings from JSONP integration problems Technical Task Closed Tomas Polesovsky (topolik)  
        14.
        Service verification layer: support for plugins - remoting-web.xml Technical Task Closed Raymond Auge  
        15.
        Remove /secure/ contexts from portal and plugins for web service API calls Technical Task Closed Michael Saechang  
        16.
        Check API verification layer implementation performance Technical Task Closed Michael Saechang  
        17.
        Method to JSON serialize Throwable Technical Task Closed SE Support  
        18.
        Remove the old mechanisms for authorizing from WS servlets Technical Task Closed SE Support  
        19.
        Move WebDAV from /api/webdav context Technical Task Closed Michael Saechang  
        20.
        Remove RemoteAccess check from SecureFilter Technical Task Closed Michael Saechang  
        21.
        Deprecate /api/webdav in favor of /webdav using UrlRewrite filter Technical Task Closed Michael Saechang  
        22.
        Adjust the hosts allowed so that default verification types can happen from any host Technical Task Closed Michael Saechang  
        23.
        AuthType regression bug after web service verification layer review Technical Task Closed Michael Saechang  
        24.
        Create authentication endpoints for web services authentication process Technical Task Closed Tomas Polesovsky (topolik)  
        25.
        Support custom JSONWS services from plugins Technical Task Closed Brian Chan  
        26.
        Fix HookHotDeployListener.SUPPORTED_PROPERTIES to contain auth.verifier.pipeline Technical Task Closed Michael Saechang  

          Activity

            People

            • Votes:
              3 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Packages

                Version Package
                6.2.0 CE M3