Advanced Liferay Configuration Because the actual method calls for retrieving data are the same regardless of how one gets access to those methods (i.e., locally or through web services), Liferay provides a consistent interface for accessing portal data that few other products can match. The actual interfaces for the various services will be covered in the Liferay Developer's Guide, but before they can be used there are steps that need to be taken to enable users to access those services remotely. In the default portal.properties file, there is a section called Main Servlet. This section defines the security settings for all of the remote services provided by Liferay. Copy this section and paste it into your custom portalext.properties file, and you can configure security settings for the Axis Servlet, the Liferay Tunnel Servlet, the Spring Remoting Servlet, the JSON Tunnel Servlet, and the WebDAV servlet.
Illustration 77: Liferay SOA's first layer of security.
By default, a user connecting from the same machine Liferay is running on can access remote services so long as that user has the permission to use those services in Liferay's permissions system. Of course, you are not really “remote� unless you are accessing services from a different machine. Liferay has two layers of security when it comes to accessing its services remotely. Without explicit rights to both layers, a remote exception will be thrown and access to those services will not be granted. The first layer of security that a user needs to get through in order to call a method from the service layer is servlet security. The Main Servlet section of the portal-ext.properties file is used to enable or disable access to Liferay's remote services. In that section of the properties file, there are properties for each of Liferay's remote services. You can set each service individually with the security settings that you require. For example, you may have a batch job which runs on another machine in your network. This job looks in a particular shared folder on your network and uploads documents to your community's document library portlet on a regular basis, using Liferay's web services. To enable this batch job to get through the first layer of security, you would modify the portal-ext.properties file and put the IP address of the machine on which the batch job is running in the list for that particular service. For example, if the batch job uses the Axis web services to upload the documents, you would enter the IP address of the machine on which the batch job is running to the axis.servlet.hosts.allowed property. A typical entry might look like this: axis.servlet.hosts.allowed=192.168.100.100, 127.0.0.1, SERVER_IP
If the machine on which the batch job is running has the IP address 192.168.100.100, this configuration will allow that machine to connect to Liferay's web services and pass in user credentials to be used to upload the documents.
Liferay Services Oriented Architecture
245