Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Tree: 047763ecde
Fetching contributors…

Cannot retrieve contributors at this time

45 lines (26 sloc) 2.575 kB

X.509 Certificate Authentication for Liferay Portal

This hook enables certificate-based authentication in Liferay Portal.


This is an Auto Login hook for Liferay. If the user opens the portal via HTTPS connection, they are asked for their client certificate, and automatically logged in based on the identity information in their certificate that can be directly mapped to Liferay's. If they arrive through HTTP connection, a switch to HTTPS, and login occurs when they attempt to Sign in.

While Sign out link is now hidden in Dockbar, and Login portlet is overridden to hide password login, the functionalities are still there.


By default the hook authenticates based on Screen Name in field CN of subject distinguished name. This can be changed easily in the source code, independently of regular authentication setting

In method login of class com.github.cert.auth.CertAutoLogin, local variables authType and authAttr control authentication type, and field used for authentication.

  • screenName / _ATTR_CN
  • emailAddress / _ATTR_EMAIL
  • userId / _ATTR_UID

Note: According to RFC 2253 and RFC 2580, attributes CN and UID are available in subject distinguished name, while e-mail addresses should reside in Subject Alternative Name extension. However to support legacy implementations, emailAddress attribute can be used in subject distinguished name as well.


Set up server to accept HTTPS connections, and require client authentication. Implement PKI infrastructure.

Add following settings to (ports are just examples):


IMPORTANT: Because phishing protection is not activated upon autologin, regardless of setting, there is currently a security hole if the user initiates login using HTTP connection. While they are transferred to HTTPS, the cookie JSESSIONID remains available to "Any type of connection", not to "Encrypted connections only". If the user switches back to HTTP connection, their session persists over insecure connection. A workaround is to disable HTTP connections altogether.

If the certificate is invalid, the user receives an error message from the server in the browser: "SSL peer cannot verify your certificate. (Error code: ssl_error_bad_cert_alert)", which is not very helpful.

Jump to Line
Something went wrong with that request. Please try again.