Liferay 6.1 – where’s the password?

While coding for Liferay one might encounter the need to obtain current user’s password. For instance, Liferay’s Chat portlet does this to try logging in to Jabber server using same credentials that current user has for Liferay portal. The Chat portlet does it a bit wrong though, let’s see what’s the best way to do that.

First, Liferay doesn’t normally stores clear text passwords in DB – salted hashes are calculated and stored instead. This behaviour can be altered by setting the “passwords.encryption.algorithm” setting to value “NONE” as documentation specifies: http://www.liferay.com/documentation/liferay-portal/6.1/user-guide/-/ai/passwords
One should hardly ever do that, because in worst case leaking DB of salted hashes would be much less of a problem than leading DB full of clear text passwords.

Second, Liferay doesn’t store clear text password in RAM for much longer than it takes to calculate the hash (and well, for GC to run cleanup). This can be altered by setting the “session.store.password” setting to “true” as specified in another part of documentation: http://www.liferay.com/documentation/liferay-portal/6.1/user-guide/-/ai/session
One should try to avoid that too because otherwise memory dumps will contain passwords of users that were recently logging-in. This is what Chat portlet does though.

So, the right way in my opinion is to implement custom authenticator, in accordance with this piece of official documentation: http://www.liferay.com/documentation/liferay-portal/6.1/user-guide/-/ai/authentication-pipeline
When any user will be logging in to Liferay your Authenticator code will be called with clear text password as a parameter, and at the moment of the call you can perform necessary actions.

In case this is not enough and one needs to use the password not only in the moment of user’s login, there are options to do that too. Of course, you can do same thing as “session.store.password” does and store the password in session, maybe not as String object but as byte[] or char[] array to make it not so prominent in memory dumps. You can also encrypt it, so that getting it out of memory dump would require decryption.

However, thanks to suggestions of some people, we found out about a better way to to that: encrypt the password using key stored on server (for instance, in JVM’s keystore). This way we can decrypt and use password when necessary, but anyone who has the memory dump and knows encryption/decryption algorithm still can not decrypt the password because he lacks the key from server’s file system. That’s secure enough for anyone, I suppose (-:

Liferay in Action

It doesn’t seem to make much sense to post about Liferay since “Liferay in Action” book by Richard Sezov is out – that’s how good that books is. Really.

But, as it is mentioned in the book itself, Liferay is very alive at the moment, it is in dynamic development and new changes arrive all the time. Thus it makes perfect sense to comment on what has changed since the book is out (-:

I haven’t done any review of the changes made to Liferay in recent months, so no complete list in this post – maybe in future ones. But there are a couple of things that I want to mention right away because I stumbled across them in my day-to-day practice, which means other people will be stumbling over those often too, I presume.

First, the book explicitly states there is no way to add Servlet Filter to Liferay’s main portal web app without using EXT, that this cannot be accomplished via hook. Well, this is no longer true for 6.1 – hooks can add Servlet Filters to portal’s webapp now, hooray!
Read the rest of this entry »

Note: auto-close tags in HTML text with CKEditor

CKEditor API call to auto-close tags in HTML text:

htmlContent = new CKEDITOR.htmlDataProcessor(new CKEDITOR.editor(CKEDITOR.config, document.createElement("textarea"))).toDataFormat(htmlContent);

Eclipse WTP Tomcat/JBoss Adapter issue – permanent starting

Eclipse WTP Tomcat and JBoss adapters have a certain bug that I’ve encountered recently, and due to conditions it occurred in it took almost a detective work to figure out.

I added a video below with all the details and a little demo – just for fun.

Long story short, the bug occurs on starting the server (be it Tomcat or JBoss) from Eclipse. When starting it Eclipse WTP Server Adapter starts a thread called PingThread that tries to connect to the server. If connection is OK, server is considered to be “Started”. Otherwise it’s shown as “Starting”, and if there’s a startup timeout configured, after the time of timeout passes server gets killed.
Read the rest of this entry »

Programmatic JVM debug via JDI

The Goal
A couple of times in my life of java programmer I used a trick to put some code ending with “return false;” within Eclipse’s conditional breakpoints just for sake of having that code executed each time JVM goes over the breakpoint, but without the actual suspension of the thread. Or well, suspending would happen anyway, but Eclipse will resume thread automatically after executing the code due to “return false” in the end which would indicate “false” for breakpoint condition value to the Eclipse. As a result program will continue to execute, and no suspending that would require manual resuming (or any interaction) would happen.

The simplest example of the case when one can need that would be logging some variable value of which changes in a loop, and you want to know it’s last value before something happens in the system (say exception occurs). Nothing simpler than just putting a breakpoint to a next line after variable assignment, and setting “System.out.println(theVariable); return false” as a breakpoint condition.

The question that bugged me though was wether I can do it in more controller way. For example from Groovy Shell, which is currently my favourite tool for quickly running several lines of ad-hoc Java code, i.e. for scripting using Java (previously I used BeanShell for that). And it turned out that one can do that fairly easy using JPDA/JDI.
Read the rest of this entry »

Liferay 6 (5): get portlet content programmatically in hooked JSPs

Sometimes it is necessary to obtain a content of the portlet programmatically in hooked JSPs, but the APIs do not make it clear at all how to accomplish that.

There are some suggestions on the web on how this can be achieved, but the code seems to be somewhat complex, which makes it a problem to use in hooked JSPs.

For hooks there is a simpler method, but it relies on being executed in hooked JSPs by referring to some classes in portal-impl.jar:
Read the rest of this entry »

Guitar frets notes map with Codea

Couldn’t find a pic where standard tuned guitar frets would be displayed as black+white piano keys. So I’ve coded a little script/app for that using Codea (IDE+runtime for coding for iPad using Lua):

This is 7-string (electric) guitar in Standard tuning (i.e. just like 6-string + 1 additional string for lower notes), ’cause I have a 7-string one – so I needed that additional string too.

Teh Code:
https://github.com/mvmn/GuitarPiano-for-Codea/blob/master/src/Main.lua

Yep, it also produces sounds when keys/frets are touched (with multitouch). Codea is fun.