Search code examples
javaliferayliferay-6

Liferay Authorization


I need to implement liferay authentication against organization LDAP. Once user successfully logs in I want user to be checked against a local group created in liferay.

For e.g. users in certain team should only be able to get into the application.As there is nothing in LDAP which distinguish these users from other users in LDAP ,I need to implement something locally in liferay.

When user logs in he/she should be authenticated against LDAP and then local liferay group should be looked up to check whether user is part of that group.This group should be configurable by liferay admin. Only when he/she is part of that group home page of application with data should be displayed.

Any pointers on this would help.Thanks.


Solution

  • Here is what I have understood:

    1. Users are stored in LDAP.
    2. The Users are not categorized in LDAP. No ldap groups exist.
    3. So when you authenticate against LDAP all the Users present in LDAP will be logged-in to Liferay.
    4. But what you want is that, only those Users who belong to a certain group in Liferay should be able to login and others should not.

    If this is what you want then here are my few pointers:

    1. The best thing would be to have groups in LDAP itself. In terms of maintenance this will be better, since authentication is already happening through LDAP. Here is how you can leverage Liferay with LDAP groups. Ofcourse if you went this approach you would need to manually assign the Users to each group through any LDAP client like LDAP admin or jExplorer.
    2. But if this is not possible, then you can either group users through Organizations or UserGroups or may be a Site (with or without pages) in liferay.
    3. After successful authentication from LDAP you can check whether the particular User belongs to the desired Organization or UserGroup or Site. You can use LoginPostAction hook for this purpose.
    4. If the User is not a member of the desired group then you can log him out of the system and re-direct him to the login page or some other page as is your requirement.
    5. You can also have a hook to prevent update and delete of the UserGroup or Organization or Site so that Admins don't accidentally delete or update the concerned group which might cause authentication failure.

    Hope this helps, let me know if what I have understood is correct.