« Back

How to secure Apache ODE using Liferay users and groups

Rather than using a separate database (or file) of users and roles, we decided to re-use the security features of Liferay Portal. This follows on from How to secure Apache ODE which you should read first.

Note: The following steps were performed with Apache ODE 2.1 snapshot (trunk), Apache Tomcat 6.0.18, Liferay Portal CE 5.2.3 and PostgreSQL 8.4. They should work with some modifications for other configurations.

  1. Firstly, we need two database views that comply with Tomcat's DataSourceRealm:
    
    CREATE USER tomcat PASSWORD 'tomcat';
    CREATE SCHEMA tomcat AUTHORIZATION tomcat;
    
    GRANT USAGE ON SCHEMA lportal TO tomcat;     
    GRANT REFERENCES ON TABLE lportal.user_, lportal.users_usergroups, lportal.usergroup TO tomcat; 
    GRANT SELECT ON TABLE lportal.user_, lportal.users_usergroups, lportal.usergroup TO tomcat; 
    
    CREATE VIEW tomcat.users AS
        SELECT screenname as user_name, password_ as user_pass FROM lportal.user_;
    
    CREATE VIEW tomcat.user_roles AS
        SELECT u.screenname AS user_name, ug.name AS role_name
        FROM lportal.user_ u, lportal.users_usergroups uug, lportal.usergroup ug
        WHERE u.userid = uug.userid AND uug.usergroupid = ug.usergroupid;
    
    ALTER TABLE tomcat.users OWNER TO tomcat;
    ALTER TABLE tomcat.user_roles OWNER TO tomcat;
    
    
    In this example for PostgreSQL, the Liferay tables are stored in the lportal schema and the new tomcat views are created in the tomcat schema. A user called tomcat is created to own these views.
  2. Next, we add the DataSourceRealm to $TOMCAT/conf/server.xml, inside the <GlobalNamingResources> area:
    
        <Resource
            name="jdbc/tomcat"
            auth="Container"
            type="javax.sql.DataSource"
            maxActive="10"
            maxIdle="3"
            maxWait="10000"
            username="tomcat"
            password="tomcat"
            driverClassName="org.postgresql.Driver"
            url="jdbc:postgresql://localhost/ncp" />
    
    
  3. Finally, we declare the Realm inside the <Context>, providing the names of the tables and columns:
  4. 
        <Realm
            className="org.apache.catalina.realm.DataSourceRealm"
            debug="99"
            dataSourceName="jdbc/tomcat"
            roleNameCol="role_name"
            userCredCol="user_pass"
            userNameCol="user_name"
            userRoleTable="tomcat.user_roles"
            userTable="tomcat.users" />
    
    
  5. In Liferay Portal, create a User Group called "ode-admin" and assign your users to this group.

  6. Next, restart Tomcat.
  7. Open the ODE console using http://localhost:8080/ode/.
  8. When prompted, enter the username and password of a Liferay user in the ode-admin user group.
Comments
Trackback URL:

No comments yet. Be the first.