Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-26803 Introduce a layer for web service access security
  3. LPS-27888

Split web service authentication into verification process and authentication process



      Original 2-phase authentication concept can't work, because we can't use 1 URL for guest and authenticated access. If a HTTP request contains message-body (e.g. POST method) then we can't read request's input stream twice - in 1st and then in 2nd phase.

      We must introduce a new concept (please see the diagram) where:
      1,2: Authentication is not part of this process anymore, HTTP request should be authenticated elsewhere
      3: Using AuthVerification servlet filter we intercept all web service calls and
      3.1.x: try to fetch authenticated user from request using one of AuthVerifiers (or fall back to guest account if there is no authentication related token) and initialize authorization context (PermissionThreadLocal, ...)
      3.2: in case the authentication is not valid (some authentication related token is in the request but is not valid) we abort the call
      3.3: otherwise we delegate the call to the Web Service provider (Atom / SOAP / JSONWS / Spring Remoting / ...) with correctly initialized authorization context

      By the authentication related token we mean session cookie, OAuth access token, HTTP Basic Authentication headers or anything else that identifies authenticated communication


          Issue Links



              • Votes:
                0 Vote for this issue
                1 Start watching this issue


                • Created:
                  Days since last comment:
                  7 years, 40 weeks, 5 days ago


                  Version Package
                  6.2.0 CE M2