One of the primary functions of a web portal is to restrict access to different pages, content, and web applications. These kinds of portal resources should only be accessible by the appropriate users. E.g., a student who logs in to a university portal should not be able to access the same resources that are available to a professor. Similarly, a patient who logs in to a health care portal should not be able to access the same resources that are available to a doctor. Some portal resources (at least a login page) should be available to users who have not logged in. In Liferay DXP, users who have not logged in are called guest users.
Liferay DXP’s Sign In portlet provides the basic means for users to log in to Liferay DXP. By default, users can also use the Sign In portlet to create new accounts or to request a password reset. The home page of a default Liferay DXP installation contains a Sign In portlet. You can access this page at http://localhost:8080/web/guest/home if you’re running Liferay DXP locally.
Even if the Sign In portlet has not been added to any Liferay DXP page that’s accessible to a guest user, users can still access it by navigating to this URL:
Note that Liferay DXP’s configured authentication type determines the type of
credentials that the user needs to enter in order to log in. Liferay DXP supports
three authentication types: authentication by email address, screen name, or
user ID. To choose an authentication type, navigate to the Control Panel, click
on Configuration → Instance Settings → Authentication and use
the How do users authenticate? dropdown to make a selection. Alternatively,
add the following lines to your portal-ext.properties
file, uncomment the
appropriate line, comment out the others, and restart your Liferay DXP server.
company.security.auth.type=emailAddress
#company.security.auth.type=screenName
#company.security.auth.type=userId
Liferay DXP’s default authentication type uses users’ email addresses. Users’ screen names or user IDs can be used instead. Screen names are chosen when a new account is created either by the user or by an administrator. User IDs are autogenerated by Liferay DXP. Regardless of which authentication type is configured, users must always enter a password to log in to Liferay DXP.
By default, guest users can create accounts on your portal by clicking on the Create Account link in the Sign In portlet, completing the form, and submitting it. If a user already has an account but has forgotten its password, the user can click on the Forgot Password link to request a password reset. Both the Create Account form and the Forgot Password form include a CAPTCHA-based text verification field. Using CAPTCHA prevents bots from submitting these forms. Liferay DXP can be configured to use reCAPTCHA instead of CAPTCHA. One advantage of using reCAPTCHA is that it can allow visually impaired users to pass the test. To configure Liferay DXP to use reCAPTCHA, navigate to the Control Panel, then click on System → Server Administration → CAPTCHA.
The security requirements of some web portals require that all user accounts be created by administrators. Liferay DXP supports this use case by allowing the Create Account to be removed. To prevent guest users from creating new user accounts, navigate to the Control Panel, click on Configuration → Instance Settings → Authentication and uncheck the Allow strangers to create accounts? box. You can also disallow users from requesting forgotten passwords or from requesting password reset links by unchecking the appropriate boxes.
Remember that using the Sign In portlet provides the most basic way for users to log in to Liferay DXP but it’s not the only way. Liferay DXP allows user accounts to be imported from and exported to LDAP directories. Liferay DXP can be configured to use single-sign-on (SSO) solutions. Liferay DXP supports token-based authentication. This mechanism allows remote web applications to authenticate to Liferay DXP. Please refer to the other articles in this section for more information. Finally, remember that Liferay DXP’s user authentication and remote application authentication mechanisms are extensible.