Authentication Pipeline (Sun GlassFish Web Space Server 10.0 Administration Guide)

Sun GlassFish Web Space Server 10.0 Administration Guide

Authentication Pipeline

Authentication Pipeline is a property in the portal.properties file, which is the default configuration file for Sun GlassFish Web Space Server. You can override this property using portal-ext.properties file.

Input a list of comma-delimited class names that implement com.liferay.portal.security.auth.Authenticator. These classes will run before or after the portal authentication begins.

The Authenticator class defines the constant values that should be used as return codes from the classes implementing the interface. If# authentication is successful, return SUCCESS; if the user exists but the passwords do not match, return FAILURE; and if the user does not exist on the system, return DNE.

Constants in Authenticator:

public static final int SUCCESS = 1;
public static final int FAILURE = -1;
public static final int DNE = 0;

In case you have several classes in the authentication pipeline, all of them have to return SUCCESS if you want the user to be able to login. If one of the authenticators returns FAILURE or DNE, the login fails.

Under certain circumstances, you might want to keep the information in the portal database in sync with an external database or an LDAP server. This can easily be achieved by implementing a class via LDAPAuth that updates the information stored in the portal user database whenever a user signs in.

Each portal instance can be configured at run time to either authenticate based on user IDs or email addresses. See the Admin portlet for more information.

Available authenticators are:

com.liferay.portal.security.auth.LDAPAuth

See the LDAP properties to configure the behavior of the LDAPAuth class.

auth.pipeline.pre=com.liferay.portal.security.auth.LDAPAuth
auth.pipeline.post=

Set this to true to enable password checking by the internal portal authentication. If set to false, you're essentially delegating password checking is delegated to the authenticators configured in auth.pipeline.pre and auth.pipeline.post settings.

auth.pipeline.enable.liferay.check=true

Input a list of comma-delimited class names that implement com.liferay.portal.security.auth.AuthFailure. These classes will run when a user has a failed login or when a user has reached the maximum number of failed logins.

auth.failure=com.liferay.portal.security.auth.LoginFailure
auth.max.failures=com.liferay.portal.security.auth.LoginMaxFailures
auth.max.failures.limit=5

Set the following to true if users are forwarded to the last visited path upon successful login. If set to false, users will be forwarded to their default layout page.

auth.forward.by.last.path=true

The login page reads a redirect by a parameter named redirect. If this property is set to true, then users will be redirected to the given redirect path upon successful login. If the user does not have permission to view that page, then the rule set by the property auth.forward.by.last.path will apply.

You can set the redirect manually from another application, by appending the redirect parameter in a url that looks like this: /c/portal/login?redirect=%2Fgroup%2Femployees%2Fcalendar. This url will redirect the user to the path /group/employees/calendar upon successful login.

auth.forward.by.redirect=true

Provide a list of comma-delimited paths that can be considered part of the last visited path.

auth.forward.last.paths=/document_library/get_file

Type a URL that will be used to login portal users whenever needed. By default, the portal's login page is used.

#auth.login.url=/web/guest/home

Type a friendly URL of a page that will be used to login portal users whenever the user is navigating a community and authentication is needed. By default, the portal's login page or the URL set in the property auth.login.url is used.

auth.login.community.url=/login

Type the name of the login portlet used in a page identified by the URL of the previous property (if one has been set). This will allow the portlet to have access to the redirect parameter and thus forward the users to the page where they were trying to access when necessary. You should leave the default value unless you have your own custom login portlet.

auth.login.portlet.name=58

Provide a list of comma-delimited paths that do not require authentication.

auth.public.paths=\
/blogs/find_entry,\
/blogs/rss,\
/blogs/trackback,\
\
/bookmarks/open_entry,\
\
/document_library/get_file,\
\
/journal/get_article,\
/journal/get_articles,\
/journal/get_latest_article_content,\
/journal/get_structure,\
/journal/get_template,\
/journal/view_article_content,\
/journal_articles/view_article_content,\
\
/layout_management/sitemap,\
\
/message_boards/find_category,\
/message_boards/find_message,\
/message_boards/find_thread,\
/message_boards/get_message_attachment,\
/message_boards/rss,\
\
/my_places/view,\
\
/polls/view_chart,\
\
/portal/expire_session,\
/portal/extend_session,\
/portal/extend_session_confirm,\
/portal/json_service,\
/portal/logout,\
/portal/open_id_request,\
/portal/open_id_response,\
/portal/session_click,\
/portal/session_tree_js_click,\
/portal/status,\
\
/search/open_search,\
/search/open_search_description.xml,\
\
/shopping/notify,\
\
/tags/rss,\
\
/wiki/get_page_attachment,\
/wiki/rss