Could Someone Provide Best Practices for Implementing Custom Authentication https://liferay.dev/de/c/message_boards/find_thread?p_l_id=119785294&threadId=122887155 2026-04-17T21:36:17Z 2026-04-17T21:36:17Z Caroline Yesfir https://liferay.dev/de/c/message_boards/find_message?p_l_id=119785294&messageId=122887154 2024-08-30T13:34:07Z 2024-08-30T13:34:04Z

<p>Hello everyone</p> <p> <br> I hope everybody is doing well. I'm currently working on a project that includes building a custom authentication method in Liferay 7.4; and I would like to get some guidance on best practices for ensuring a secure; efficient; and maintainable solution.</p> <p> <br> we are connecting liferay 7.4 with a legacy system that requires a specific verification approach. The purpose is to allow users to log in to liferay using their existing legacy system passwords.</p> <p>&nbsp;</p> <ul> <li>We must validate the credentials of users using the legacy system API rather than the regular liferay user databases.</li> <li>&nbsp;we would like to create SSO so that once users have been approved through the legacy system; they may use Liferay and other connected services without having to log in again.</li> <li>We want to sync specific user data, such as roles and permissions; from the legacy system to liferay during the authentication process.</li> <li>If the old system is inaccessible; we need an alternate strategy that relies on liferay default authentication.</li> </ul> <p>We have considered the following ways but are unsure which would be the most effective or whether there a better choice.<br> We provided for utilising authentication hooks to override the authenticate method; but we are concerned about potential breaking changes in future liferay upgrades.<br> Another method is to create a special login portlet that handles the full authentication process; although we are not sure if this complicates the solution.<br> We have considered implementing liferay's OAuth2 module to assist SSO integration; however this would require extensive customization to operate with our legacy system.<br> Creating a rest API call to the legacy system during the login process appears simple; we are concerned about the performance effects; particularly under high traffic.</p> <ul> <li>What are the advantages and disadvantages of using authenticating hooks over custom login portlets in liferay 7.4?</li> <li>Has anyone successfully completed a similar integration with a legacy system? If so; what challenges did you experience and how did you deal with them?</li> <li>Are there any security concerns we should be aware of when creating a custom authentication method?</li> <li>What is the ideal approach to handling user data synchronisation throughout the authentication process?</li> <li>How can we design a dependable failover method that uses liferay authentication if the legacy system fails?</li> </ul> <p> <br> I would like to hear about any relevant experiences; suggestions, or resources that can help us make an informed decision. We want to maintain the implementation as future-proof as possible; so any suggestions for avoiding typical issues would be very welcomed.</p> <p> <br> Also I explored some topics related to this <a href="https://liferay.dev/ask/questions/liferay-learn-feedback/installing-and-updating-blade-cli-document-doesn-t-actually-install-blade">https://liferay.dev/ask/questions/liferay-learn-feedback/installing-and-updating-blade-</a><a href="https://www.igmguru.com/cyber-security/ccsp-isc2-certification-training">ccsp</a><a href="https://liferay.dev/ask/questions/liferay-learn-feedback/installing-and-updating-blade-cli-document-doesn-t-actually-install-blade">-document-doesn-t-actually-install-blade</a> but I did not get the sufficient solution of my query so I would really want to get some help from a more experienced person</p> <p> <br> Thank you in advance for your suggestions</p>

Caroline Yesfir 2024-08-30T13:34:04Z