Is there any interface or class provided by the JSR286 specification to store configuration parameters for a portlet?
The PortletPreferences interface allows me to store preferences but these are user-specific as far as I know. I also read you could store things in a PortletSession, but the scope of it is also user-specific (and I don't think it's persistent).
Another thing I read is the PortletContext which is available in an application wide scope. I read there is a property called setAttribute, but I don't know if these attributes are persistent or not. If I restart the portal server, I have no clue if these settings are still there. Also, if I have multiple instances of the portlet, I would like to make these settings differently for each instance.
So my question is; Is there any interface/class in the portlet 2.0 API (JSR286) to store data at portlet instance scope persistently?
I just found the solutions to my own problem. It seems IBM doesn't completely follow the JSR286 specification (in my advantage) and determines the scope of the PortletPreferences based upon the portlet mode the user is in.
If the user is in the VIEW, EDIT or HELP mode (defaults in JSR286 specification), then the preferences are stored like defined in the JSR286 specification. They are user- and portlet instance dependant, useful for personalisation.
If the user is in the EDIT_DEFAULTS mode (custom mode), then the preferences are stored globally for ONE portlet instance. This means that if the portlet is used on multiple pages, then the configuration only applies to one of these instances.
Lastly, if the user is in the CONFIG mode (custom mode), then the preferences are stored globally for a portlet. This means that all users of all portlet instances will use the same configuration.
Related
For my JSF/TomEE application, I have a NoSQL database with users and roles that specifies how users can access resources (basically, IDs in a url parameter) either read-only or write.
I want to implement security and this post gave me some ideas but I am keen to try a 3rd party library - probably Shiro or PicketLink. The rule is that users will authenticate themselves with a client certificate, and if that is not provided, they will be authenticated as a default guest user.
Surprisingly, I am having a bit of trouble finding some information on how to do this in Shiro, it doesn't look straight forward. It is a bit of a surprise to me that there is nothing "out of the box" in Shiro to implement client certificate authentication.
So I think I have to create a Realm to "connect" Shiro with my database. Then I read I might need to extend org.apache.shiro.authc.UsernamePasswordToken to read the certificate and pass it to Shiro. Then I suppose I have to restrict access to content in JSF xhtml pages (using the rendered attribute for example) and I suppose that even in all methods of the Named Managed beans I will need to check the permissions.
Also, It is not clear to me how I can assign the guest user when a certificate is not provided, since apparently it is TomEE the one who validates the client, so if no certificate is provided, my code will not get executed to assign the guest user. I could open two different ports in TomEE, but then the access will not be unified, since I want to treat the guest user uniformely, as any other user in the system. How can this be done?
Is this implemented in a easier way in PicketLink? (which is also better prepared for JSF)
OK, it took me a while and a lot of research, so I will summarise my findings dramatically. I documented everything but do not want to create a book chapter.
So I decided to go with Shiro, and everything I describe works and can be done. This X509certificate project for Shiro was quite useful. Basically, you need to implement a Realm overriding two methods (one for authentication and another for authorisation) - there is a class to extend in the code I mentioned before.
The distiction of a user not providing a cert can be done in the Shiro Filter, so when no token (certificate) is provided, one can be created on the fly or read from a keystore.
For restricting access in JSF there are some shiro tags that can help, no need to use rendered. I have checked permissions also in the beans or other classes accessing the database. This works once the permissions have been established in the authorisation method.
The issue with Tomcat can be solved by using <Connector port="..." ClientAuth="want" ... which will ask for a certificate but will not stop the user if no certificate is provided.
I'm working on a Grails application and want to integrate with a custom single-sign-on service (not CAS, but similar). I'm struggling to find all the pieces that I need to customize to make this happen. Can someone explain to me a general outline as to what I need to use to accomplish this? I've read the documentation on the plugin, but it assumes I know which beans to override and where to put all the needed files.
I've block-quoted what I think needs to be done based on my research below each point.
Order of Operations
1- The user requests secure content (everything is secure in the application for now)
I believe this setting is in the Config.groovy file:
grails.plugins.springsecurity.rejectIfNoRule = true
grails.plugins.springsecurity.securityConfigType = "InterceptUrlMap"
grails.plugins.springsecurity.interceptUrlMap = [
'/**':['ROLE_ADMIN']
]
2- Spring Security checks to see if the user has a specific value set in a cookie provided by the authentication service
I'm guessing I need to create an authentication filter, but I don't know where to put it or what it should look like.
If they don't, the user is redirected to this custom SSO service, they login, once authenticated, the user is redirected back to my application (with a new cookie set)
3- Spring security checks for the cookie value and validates it against the custom service (via HTTP POST)
From some research, I think that I need to use PreAuthenticatedProcessingFilter, but I haven't been able to find any examples of how to do this.
4- The custom service returns a series of name/value pairs, a user then needs to be created in the local application database (or the timestamp of "lastLoggedIn" is updated if they user's data is already in the database)
I believe this is done in the same PreAuthenticatedProcessingFilter as number 3 or in a GrailsUserDetailsService
5- The user's authentication is cached in the session for a period of time (6-8 hours) so that re-validation against the SSO service doesn't need to occur every time the user requests a new resource.
I'm not sure if this is something that's done inherently or if I need to add code to do this (and also set the session timeout)
I'm planning the development of a website which will use parked domains to allow a single code base to drive multiple locale versions of a website.
What I have in mind is, when my index page is loaded to query my database to see if that particular host name has been added to a white list via a bespoke administration system. If so, the resultant row of site information (name, domain, locale etc.) is stored in a session variable.
My question is: if I did store this row in the session, would that session then be available to all of the other "sites" too (which I don't want)?
My thoughts for storing this information in the session were so I didn't have to query my database on each page for the site details. But if sessions are accessible by all parked domains, I'll have to re-factor my authentication handler too as that uses sessions (unrelated, I know!).
Thanks in advance.
Sessions usually rely on cookies, the browser will only send a cookie if the domain it was set from matches the domain of the resources you are requesting. So even if you're using the same code for all your various domains as long as that code is being referenced by different URLs you will be fine.
There´s a way to make session acessible to all parked domains and sub-domains.
I´m looking for an answer, and I didn´t found... But I wrote some code thats resolved this issue:
session_set_cookie_params(0,"/",$_SERVER["SERVER_NAME"]);
$_SESSION['session.cookie_domain'] = $_SERVER["SERVER_NAME"];
Good Luck for all future finders!
I'm trying to setup a "private beta" for a site that I'm working on. The site uses open id. I don't want anyone to even browse the pages if they aren't part of the beta. What's the best way to implement this? Any suggestions?
For example:
When the site goes live, users will go to http://www.mydomain.com which will not require them to log in.
For the beta I want to restrict access. Users that go to http://www.mydomain.com will be redirected to a login page. Anyone attempting to access ANY PART OF THE SITE who is not authenticated will be redirected back to the login page.
I could stick [Authorize] attributes all over my controller actions, but that seems stupid.
If you're using ASP.NET MVC, it comes with authentication/authorization out of the box. You should be able to use that to setup authentication on your site.
Alternatively you could setup app server settings - IIS lets you setup username/password on a specific site it's serving, regardless of what the actual application may do. If you have access to the app server this might be the best solution.
If you're using IIS6, you can setup authorization easily. Right-click on your site > Properties > Directory Security Tab > Authentication and Access Control > Edit, and enter a username/pwd of your choice. Done.
The real question is how are they being invited to the private beta?
You could setup a password which drops a cookie much like serverfault.com does.
OR
If you know who you are inviting: you could add them to the system before hand using the email/login information that you already know about them (assuming you are inviting them via email)
I have implemented a function in a web application a while ago where we go the possibility to block access to the full website unless the user was an administrator (which in our case meant that the user account was a member of a specific group in Active Directory).
It was based on two things. First, all pages in the web application inherited not directly from the Page class, but from a custom page class in our web application. Second, we had a value like this in the appSettings section of web.config file:
<add key="adminaccessonly" value="0" />
The custom page class would check that value when loading. If it was not 0 it would redirect to a page (that did not inherit the same custom page class, though) informing the user that "the site is not available right now". If the value was 0 the page would load as usual.
In that application we used this to be able to take the site "offline" when we deployed a new version, giving us some time to verify that all was good before we let in the users again.
Best way are invitation system (based on invitation code) or manually confirmation access after create profile in your system. imho
Or you could host the site on a private server, and set up a VPN to use it. Depending on your resources and needs this may be the easiest and most secure way to do what you want without modifying your codebase.
OR alternatively you could use Apache or IIS to force authentication on access to the website directory. Keeping the authentication info in .htaccess for a while.
Even though you use open id authentication, you may still need some form of authorization mechanism. The simplest form would be a user-roles system in your database that assigns different roles to users
In your case, just assign the private_beta role to your private beta invitees and ensure you your authorization mechanism that all users have private_beta privilege before they may continue.
If you don't want to provide authorization for the public site (where everyone can do everything, once authenticated), then, you may only need to do a quick-and-dirty post-processing (for private beta only) on your open_id authenticated users to check them off a short list (which you can store on a text file.
Suppose each user has certain preferences that is saved in database for that user.
For example: UnitSystem, UILanguage, TimeZone,...
When an http-request is made we need to have access to user preferences (e.g UnitSystem, TimeZone, ...) to correctly process the data and render the view in the correct language.
What is the correct way to save/access user preferences during program execution?
Read the user preferences from database for each http-request
Read user preferences once when user logs into the application and save it in session variables.
Read user preferences once when user logs into the application and save it in a cookie.
How do you handle global settings in your MVC based applications?
In your case, I would probably store the setting in the session and cookie and check them in this order:
Check the session for the variable.
If not in the session, check the cookie and store cookie value in session.
If not in cookie, check database and store in cookie and session.
That way you should be able to handle session timeouts & users with cookies turned off pretty transparently while still maximizing performance by hitting the DB only when absolutely necessary.
Of course you'll need some mechanism to update the cookie and session as well if the user changes their preferences in the DB. Assuming these preferences are set in the same application, that shouldn't be too big of a deal.
This is what the Profile providers are for in ASP.NET. Take a look at the section of the MSDN documentation titled "ASP.NET Profile Properties Overview", located at:
http://msdn.microsoft.com/en-us/library/2y3fs9xs.aspx
You could then create your own profile provider (if one of the provided ones doesn't suit your needs) which would load/save the profile data.