如何在liferay中使用自动登录? [英] How do I use autologin in liferay?
问题描述
我想从我们的应用程序中自动登录我的用户。我知道liferay有一个自动登录功能,但我不知道如何使用它。我在网上找不到很多有价值的信息。
我需要做些什么来使自动登录工作?
我想在用户点击链接时自动登录,无需输入姓名和密码。名称和密码保存在我们的应用程序数据库中。
我相信OP现在没有答案。尽管如此,这应该得到一个全面的答案。事实上,我很惊讶它还没有。
首先,这是一个坏主意:OP提出的安排就是这样的安排。真的太不安全了。然而,对于为Liferay创建自动登录的人来说,所描述问题的解决方案可能是一个很好的原型。
现在,我们假设您要自动登录任何其用户屏幕名称在查询字符串参数中发送。例如,如果一次访问 http:// localhost:8080 / web / guest / home?insecurely_login_user = juju ,那么 juju中的Liferay 用户应该登录。怎么做?请按照以下步骤操作:
创建自动登录类
首先,创建一个hook插件。在其 docroot / WEB-INF / src 目录中,创建一个实现 com.liferay.portal.security.auth.AutoLogin 界面。在我的例子中,我将其称为 br.brandizzi.adam.liferay.insecure.InsecureAutoLogin 。
AutoLogin 接口只有一个方法,名为 login(),它需要两个参数(一个 HttpServletRequest 和 HttpServletResponse 实例)并返回一个字符串数组。所以,我的类看起来没有实现:
公共类InsecureAutoLogin实现AutoLogin {
@覆盖
public String [] login(HttpServletRequest请求,
HttpServletResponse响应)抛出AutoLoginException {
// TODO自动生成方法stub
返回null;
}
}
AutoLogin.login()方法将尝试从许多来源(主要是请求对象)检索身份验证所需的信息。如果它确定用户应该登录,它将返回一个包含相关数据的数组以进行身份验证;如果它决定不将用户登录,它只能返回 null 。
在我们的示例中,我们尝试从请求中的 insecurely_login_user 参数中获取用户的名称。如果有这样的参数,我们将继续登录;如果没有这样的参数,它只返回 null :
String screenName = request.getParameter(insecurely_login_user);
if(screenName == null || screenName.isEmpty()){
return null;
}
所以我们有屏幕名称。现在做什么?让我们从数据库中获取具有相同屏幕名称的用户。
long companyId = PortalUtil.getCompanyId(request);
用户user = UserLocalServiceUtil.getUserByScreenName(companyId,
screenName);
如果存在这样一个屏幕名称的用户,它将被检索并归因于用户变量。在这种情况下,身份验证应该成功,autologin类应该返回三个字符串的数组 - 凭据。这些是作为凭据返回的值,按照它们应该出现在数组中的顺序:
- 用户ID作为字符串
- 用户的密码,可以加密或不加密;
- 一个布尔值,强制转换为字符串,表示密码是否加密。
所以这是行:
return new String [] {
String.valueOf(user.getUserId()),
user.getPassword(),
String.valueOf(user.isPasswordEncrypted())
};
但是,如果找不到用户,则会抛出异常。因此,我们必须使用 try / catch 构造来包围上面的代码。如果抛出异常,只需返回 null :
try {
long companyId = PortalUtil.getCompanyId(request);
用户user = UserLocalServiceUtil.getUserByScreenName(companyId,
screenName);
返回new String [] {String.valueOf(user.getUserId()),
user.getPassword(),
String.valueOf(user.isPasswordEncrypted())};
} catch(例外e){
返回null;
}
最后,这是我的 InsecureAutoLogin class:
public class InsecureAutoLogin实现AutoLogin {
public String [] login(HttpServletRequest request,
HttpServletResponse response)抛出AutoLoginException {
String screenName = request.getParameter(insecurely_login_user);
if(screenName == null || screenName.isEmpty())
返回null;
try {
long companyId = PortalUtil.getCompanyId(request);
用户user = UserLocalServiceUtil.getUserByScreenName(companyId,
screenName);
返回new String [] {String.valueOf(user.getUserId()),
user.getPassword(),
String.valueOf(user.isPasswordEncrypted())};
} catch(例外e){
返回null;
}
}
}
注册autologin class
现在我们的钩子应该将这个类注册为自动登录处理器。这很简单。
首先,编辑文件 docroot / WEB-INF / liferay-hook.xml 添加一个 portal-properties 元素,其值为 portal.properties :
<?xml version =1.0?>
<!DOCTYPE hook PUBLIC - // Liferay // DTD Hook 6.1.0 // ENhttp://www.liferay.com/dtd/liferay-hook_6_1_0.dtd\">
< hook>
< portal-properties> portal.properties< / portal-properties>
< / hook>
现在,创建一个名为的文件portal.properties 在 docroot / WEB-INF / src 。它应该包含一个名为 auto.login.hooks 的属性,其值应该是我们类的名称:
auto.login.hooks = br.brandizzi.adam.liferay.insecure.InsecureAutoLogin
就是这样。部署这个钩子,你的自动登录就可以了。
结论
正如我所说,你应该不使用这种不安全的身份验证方法。绕过它太容易了,甚至获得管理权限!但是,如果您按照这些步骤操作,则可以使用骨架来创建更好的自动登录功能。此外,我知道有些人真的想要做一些像这种不安全的身份验证方法,有时我们必须暂停我们的判断,只是帮助一个人开枪......
可以在这里找到该项目的源代码。 / a>您可以在这里 下载WAR。 / p>
I want to login my users automatically from our application. I know liferay has an auto login feature, but I don't know how to use it. I didn't find much valuable information on the web. What do I need to do to make autologin work?
I want to login a user automaticaly when he clicks a link, without him having to enter name and password. The name and password is saved on our application database.
I believe the OP has no use for an answer now. Nonetheless, this deserves a comprehensive answer. In fact, I am surprised that it does not have one yet.
First of all, this is a bad idea: such an arrangement as the one proposed by the OP is really too insecure. Nevertheless, a solution to the described problem can be a good prototype for someone creating an autologin for Liferay.
Now, let us say you want to automatically log in any user whose screen name is sent in a query string parameter. For example, if one access http://localhost:8080/web/guest/home?insecurely_login_user=juju then the Liferay in the juju user should be logged in. How to do that? Follow the steps below:
Create the autologin class
Firstly, create a hook plugin. In its docroot/WEB-INF/src directory, creates a class implementing the com.liferay.portal.security.auth.AutoLogin interface. In my example, I will call it br.brandizzi.adam.liferay.insecure.InsecureAutoLogin.
The AutoLogin interface has only one method, called login(), which expects two parameters (an HttpServletRequest and an HttpServletResponse instances) and returns an array of strings. So, my class will look like this without implementation:
public class InsecureAutoLogin implements AutoLogin {
@Override
public String[] login(HttpServletRequest request,
HttpServletResponse response) throws AutoLoginException {
// TODO Auto-generated method stub
return null;
}
}
The AutoLogin.login() method will try to retrieve the information necessary to the authentication from many sources, mainly the request object. If it decides that the user should be logged in, it returns an array with relevant data for authentication; if it decides to not log the user in, it can just return null.
In our case, we try to get the name of the user from the the insecurely_login_user parameter from the request. If there is such parameter, we will proceed with the login; if there is no such parameter, it just returns null:
String screenName = request.getParameter("insecurely_login_user");
if (screenName == null || screenName.isEmpty()) {
return null;
}
So we have the screen name. What to do now? Let us get a user from the database with the same screen name.
long companyId = PortalUtil.getCompanyId(request);
User user = UserLocalServiceUtil.getUserByScreenName(companyId,
screenName);
If a user wich such a screen name exists, it will be retrieved and attributed to the user variable. In this case, the authentication should be successful and the autologin class should return an array of three strings - the credentials. Those are the values to be returned as credentials, in the order they should appear in the array:
- the user id as a string
- the password of the user, which can be encrypted or not;
- a boolean value, cast to string, indicating if the password is encrypted.
So here is the line:
return new String[] {
String.valueOf(user.getUserId()),
user.getPassword(),
String.valueOf(user.isPasswordEncrypted())
};
If a user is not found, however, an exception will be thrown. So, we have to surround the code above with a try/catch construction. If an exception is thrown, just return null:
try {
long companyId = PortalUtil.getCompanyId(request);
User user = UserLocalServiceUtil.getUserByScreenName(companyId,
screenName);
return new String[] { String.valueOf(user.getUserId()),
user.getPassword(),
String.valueOf(user.isPasswordEncrypted()) };
} catch (Exception e) {
return null;
}
In the end, this is my InsecureAutoLogin class:
public class InsecureAutoLogin implements AutoLogin {
public String[] login(HttpServletRequest request,
HttpServletResponse response) throws AutoLoginException {
String screenName = request.getParameter("insecurely_login_user");
if (screenName == null || screenName.isEmpty())
return null;
try {
long companyId = PortalUtil.getCompanyId(request);
User user = UserLocalServiceUtil.getUserByScreenName(companyId,
screenName);
return new String[] { String.valueOf(user.getUserId()),
user.getPassword(),
String.valueOf(user.isPasswordEncrypted()) };
} catch (Exception e) {
return null;
}
}
}
Registering the autologin class
Now our hook should register this class as an autologin processor. That is really easy.
First, edit the file docroot/WEB-INF/liferay-hook.xml adding a portal-properties element with the value portal.properties:
<?xml version="1.0"?>
<!DOCTYPE hook PUBLIC "-//Liferay//DTD Hook 6.1.0//EN" "http://www.liferay.com/dtd/liferay-hook_6_1_0.dtd">
<hook>
<portal-properties>portal.properties</portal-properties>
</hook>
Now, create a file named portal.properties at docroot/WEB-INF/src. It should contain a property named auto.login.hooks whose value should be the name of our class:
auto.login.hooks=br.brandizzi.adam.liferay.insecure.InsecureAutoLogin
And that is it. Deploy this hook and your autologin will work.
Conclusion
As I have said, you should not use such an unsafe "authentication" method. It is too easy to bypass it, getting even administration permissions! However, if you follow these steps, you have a skeleton to create a better autologin feature. Also, I know some people really want to do something like this insecure "authentication" method and sometimes we have to suspend our judgments and just help one to shoot one's feet...
The source code of this project can be found here and you can download the WAR here.
这篇关于如何在liferay中使用自动登录?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
