You are viewing a plain text version of this content. The canonical link for it is here.
Posted to pluto-user@portals.apache.org by "Dr. Michael Lipp" <Mi...@danet.de> on 2006/12/13 09:59:17 UTC
Portlet applications and security
Hi,
I'm trying to secure a portlet application. So I have added the
"security-constraint" section to its web.xml (btw, environment is
JBoss-4.0.4, i.e. Tomcat 5.5.x).
Invoking the portlet still works (I suspect that security constraints
aren't checked in the cross context invocation from the portal to the
portlet). But my portlet application also includes a servlet for
resource delivery. When the browser tries to load these resources (while
rendering the portlet's content) access to the resource servlet fails
(403 access denied).
I have checked that the browser uses the same session cookie when
requesting the portal page and when requesting the resources from the
portlet application.
Obviously, the security context established in the initial portal
request is not used when accessing the resource servlet, although the
session is the same.
Is this a bug? a feature? Any help appreciated.
Regards,
Michael
--
Dr. Michael N. Lipp
Solution Architect
Danet GmbH, Gutenbergstraße 10, 64331 Weiterstadt, Germany
Phone: +49 6151 868-476, Fax: +49 6151 868-264
eMail: Michael.Lipp@danet.de, URL: www.danet.com
-----------------------------------------------------------------------
Managing Board: Dr. Reiner Nickel (CEO), Dr. Burkhard Austermühl (CFO);
Chairman of the Supervisory Board: Jaques Bentz; Address of Record:
Weiterstadt; Commercial Register: Amtsgericht Darmstadt HRB 6450;
Tax Number: DE 172 993 071
Re: Portlet applications and security
Posted by David García <da...@gmail.com>.
Hi,
Assuming you have set up your security constraint in both web
applications (portal & portlets+servlet), a solution is to enable
single-sign-on in JBoss. As far as I remember, you just have to
uncomment the following line:
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
in server/default/deploy/jbossweb-tomcat55.sar/server.xml
More info: http://wiki.jboss.org/wiki/Wiki.jsp?page=SingleSignOn
David
On 12/13/06, Dr. Michael Lipp <Mi...@danet.de> wrote:
> Hi,
>
> I'm trying to secure a portlet application. So I have added the
> "security-constraint" section to its web.xml (btw, environment is
> JBoss-4.0.4, i.e. Tomcat 5.5.x).
>
> Invoking the portlet still works (I suspect that security constraints
> aren't checked in the cross context invocation from the portal to the
> portlet). But my portlet application also includes a servlet for
> resource delivery. When the browser tries to load these resources (while
> rendering the portlet's content) access to the resource servlet fails
> (403 access denied).
>
> I have checked that the browser uses the same session cookie when
> requesting the portal page and when requesting the resources from the
> portlet application.
>
> Obviously, the security context established in the initial portal
> request is not used when accessing the resource servlet, although the
> session is the same.
>
> Is this a bug? a feature? Any help appreciated.
>
> Regards,
>
> Michael
>
> --
> Dr. Michael N. Lipp
> Solution Architect
>
> Danet GmbH, Gutenbergstraße 10, 64331 Weiterstadt, Germany
> Phone: +49 6151 868-476, Fax: +49 6151 868-264
> eMail: Michael.Lipp@danet.de, URL: www.danet.com
> -----------------------------------------------------------------------
> Managing Board: Dr. Reiner Nickel (CEO), Dr. Burkhard Austermühl (CFO);
> Chairman of the Supervisory Board: Jaques Bentz; Address of Record:
> Weiterstadt; Commercial Register: Amtsgericht Darmstadt HRB 6450;
> Tax Number: DE 172 993 071
>