restrict portlet access in liferay

Question

I have a portlet called "asdf". I use AJAX to reload little views. To access these views I can call e.g. http://localhost:8080/asdf-portlet/view.jsp This works fine except that people who aren't logged in can access these views too, but they should not be able to.

Any solutions to this problem? Is there some kind of session which only logged in users can access?

Answer 1

Can you provide the link to access to your view directly ? Maybe this can clear things.

If it's the link you provided in the first post, i can imagine why you are viewing the portlet. It's because you are not calling any portlet, you are calling only the servlet part. This type of call has nothing to do with liferay, so portlet related xml files are not read by tomcat (or any other java server).

As already suggested by doc_180 you have to either

• filter the servlet requests in order to avoid direct access
• (and/or) restrict access of the app only from liferay (you must configure java server(e.g. Tomcat) to do so.

Answer 2

Did you try to remove

<security-role-ref>
    <role-name>guest</role-name>
</security-role-ref>

from portlet.xml?

I also remove

<role-mapper>
  <role-name>guest</role-name>
  <role-link>Guest</role-link>
</role-mapper>

from liferay-portlet.xml.

Answer 3

Liferay has an extensive hierarchical permission based system. I would suggest you restrict your portlet permissions to user who are logged in. Generally this is done by removing the guest/anonymous -> view option.

From your portlet configurations section (generally accessed by clicking the little wrench icon) select the permissions section and uncheck the guest options.

Answer 4

I think you might need to provide more information. What version of liferay are you using? Have you specified permission? What page have you added your portlet to?

Specify that only "user" can access portlet and also I think you have added the portlet to the Guest's Landing page. That implies that the porlet is public.