(I am not sure if I have to post this in Liferay forum or Spring forum)
I have to transfer an existing web application to a portlet environment.
My current approach is to use the GenericFacesPortlet that is part of the JSF Portlet Bridge Standard. By using this approach, in theory, the servlet web application needs only minor adaptions to run as a portlet. (Versions: Liferay 6.0.5, Portlet Brigde 2.0.1x from JBoss, Spring Security 2.0.6; I cannot simply move to newer versions of Spring.)
I managed to convert a simple web application containing JSF and Rich Faces to use the GenericFacesPortlet. This worked well and so I tried to convert the “real” application using this approach.
The “real” application does additionally use:
- Spring Web MVC
- Spring Security
- Spring WebFlow
- (and many more Spring libs)
Spring Security (e.g. the Filter Chain) is initialized by Liferay during context initialization of the portal. At that time, no user is logged in and the Spring Security can not extract a valid user. This is ok, but after that initialization, the Spring Security Filter Chain is not called ever again. So Spring is not able to use the pre-authentication of Liferay.
I like to keep Liferay as the leading authenticating instance and the portlet using the authentication done by liferay.
My first question: What are the recommended hooks for linking Spring Security to Liferay? (this question goes more to Liferay, I know)
I found one way to initialize Spring Security from Liferay (described for Liferay 4.x and old version of Spring Security here: http://acegi-ext.sourceforge.net/ace...t-liferay.html). Solution in short: Add own LoginPostAction-class to Liferays login.events.post Property from portal.properties file (to be found in Liferays portal-impl.jar). There, the authentication data from a successful login can be extracted from Portlet/Portal Environment and transferred to Spring Security. The LoginPostAction class defines therefore the method
run( HttpServletRequest request, HttpServletResponse response)which can be extended to initialize e.g. Spring Security.
I think using this way I can initialize Spring Security.
But this does not help much, because after initialization, Spring Security is never called again during Portlet execution. What is missing is a connection between the mapped Servlet Requests (mapped by GenericFacesPortlet) and the Spring Security Filter Chain. This Chain is never called during my tests.
I know that there is a Spring Portlet MVC (and a Spring Portlet Security) jar.
Question 2: Will the Spring Portlet MVC help me converting an existing web application to a portlet with minor adaptions of the existing web application?
I like to develop my code based on standards.
Question 3: What is the relation of Spring Portlet MVC and Generic Portlet, is the Portlet MVC an alternative approach to the GenericFacesPortlet of the PortletBridge standard?
Any hint is appreciated