Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-26803 Introduce a layer for web service access security
  3. LPS-27888

Split web service authentication into verification process and authentication process

    Details

      Description

      Original 2-phase authentication concept can't work, because we can't use 1 URL for guest and authenticated access. If a HTTP request contains message-body (e.g. POST method) then we can't read request's input stream twice - in 1st and then in 2nd phase.

      We must introduce a new concept (please see the diagram) where:
      1,2: Authentication is not part of this process anymore, HTTP request should be authenticated elsewhere
      3: Using AuthVerification servlet filter we intercept all web service calls and
      3.1.x: try to fetch authenticated user from request using one of AuthVerifiers (or fall back to guest account if there is no authentication related token) and initialize authorization context (PermissionThreadLocal, ...)
      3.2: in case the authentication is not valid (some authentication related token is in the request but is not valid) we abort the call
      3.3: otherwise we delegate the call to the Web Service provider (Atom / SOAP / JSONWS / Spring Remoting / ...) with correctly initialized authorization context

      By the authentication related token we mean session cookie, OAuth access token, HTTP Basic Authentication headers or anything else that identifies authenticated communication

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Days since last comment:
                  7 years, 9 weeks, 4 days ago

                  Packages

                  Version Package
                  6.2.0 CE M2