Liferay authentication and authorization (Siteminder and Custom Tomcat Authorization)

I am new to liferay portal. I am afraid, the questions being raised might be simple, but I am not aware. Please clarify.

We are trying to build a Portal using Liferay on Tomcat. This Portal should be authenticated by Netegrity SiteMinder and we have our internal authorization mechanism which is built on tomcat security . I have questions on two areas which I have listed below

1. Question on Enabling Siteminder in Liferay When siteminder is enabled within Liferay, is it necessary for us to still configure the user in liferay portal to have the siteminder authenticated user get into the portal page.

2. Authorizations - My objective is to avoid configuring User and Roles and their associations in Liferay. This is because the portal which we want to built should rely on the tomcat security customized framework which is already in place.

I deployed a portlet which has set of links available and these links should be available based on the user permissions. So I configured the users and set of roles in tomcat-users.xml and also defined the role-mapping in liferay-portlet.xml,portlet.xml,web.xml and deployed the portlet and also changed the Realm Configuration in liferay.xml as below

appName="PortalRealm" userClassNames="com.liferay.portal.security.jaas.PortalPrincipal"

roleClassNames="com.liferay.portal.security.jaas.PortalRole"

debug="99" useContextCl开发者_如何转开发assLoader="false"/>

I logged into to Liferay Portal with a user (configured both in liferay and tomcat-users.xml and added the Portlet on the page and see the links are not displayed as the request.isUserInRole("Role x") returned false. When I tried configuring the same role and associated it to the user, I saw the link working. But the expected behaviour is not seen.

Please help me on this. Appreciate a quick response.

Thanks Kalaiarasan

1) Usually users are imported from external auth. tool to Liferay. My experience is based on LDAP (OpenDJ) auth. integration to Liferay. If the users are organized in groups it's also possible to import those groups and associate imported users with those groups. Last step is to give the required permissions to those groups. So you end up with usual Liferay users with appropriate roles, optionally belonging to appropriate groups -- all this coming from your external Tomcat configuration.

2) I'd recommend importing the users and roles you already have in Tomcat to Liferay (and yes, it can be done automatically during authorization by writing some code which imports currently authorized user and his roles). This will give you the flexibility to fine-tune the permissions using the Liferay built-in mechanisms and interfere less with their override. You have also AdvancedSecurityChecker class that you can override to do any custom permissions handling but it's less recommended.

Finally keep in mind upgrades to future Liferay versions. The more of the Liferay functionality you override and customize the harder will be the upgrade.