You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-user@portals.apache.org by Aaron Evans <aa...@yahoo.ca> on 2005/09/08 22:42:59 UTC
[J2] More Security Questions
So I spent a great deal of today looking at portlet specifications, APIs and
reading over the jetspeed 2 security documentation.
It looks as though the j2 security model will be quite comprehensive, but it is
somewhat overwhelming. I have 3 relatively simple tasks that I need to do and
I am hoping that there are easy answers to them:
1. I need to apply role based access control to not only psml pages but to
access to portlets themselves. It is conceivable that even if there were psml
protection, one could devise somekind of URL to gain access to a portlet, no?
So, on this topic, how does one accomplish this? I read the discussion around
the Permission Manager and was somewhat lost. There seems to be no GUI for
managing perms and associating them with roles. How do I create permissions
for my portlets, assign them to roles and enforce them? I do not understand
the purpose or function of the Profiler "rules" at all. Perhaps this is what
I am missing.
Is there more documentation than what is at:
http://portals.apache.org/jetspeed-2/multiproject/jetspeed-security/index.html
2. I need to make my user administration interface *require* a predefined set
of user attributes and I'll need to do validation on them. Am I going to have
to heavily customize the portlets which control this or this there someway to
do this through configuration? This url:
http://portals.apache.org/jetspeed-2/user-attributes.html
mentions that "Concrete User attributes are stored using User Preferences for
which Jetspeed-2 provides its own database back end for storage (which is
customizable by the way like almost any component of Jetspeed-2)". But does
not provide any details around what I need to accomplish above. I would think
this would be a relatively common requirement.
3. If I use jetspeed's datastore as my master for user accounts, I will no
doubt need to replicate some data to another database. I shall need to
override the UserManager interface I should think. Is doing this just a
matter of extending org.apache.jetspeed.security.impl.UserManagerImpl,
putting it in WEB-INF/classes and changing the configured class in
WEB-INF/assembly/security-managers.xml?
Comments on the above questions will be greatly appreciated.
thx,
aaron
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org
Re: [J2] More Security Questions
Posted by Randy Watler <wa...@wispertel.net>.
Aaron,
Next time, post your questions in separate emails... makes it easier to
reply to one thread... :-)
>1. I need to apply role based access control to not only psml pages but to
>access to portlets themselves.
>
One can use PSML Security Constraints or JAAS Security Permissions. The
PageManager supports both and can be configured using the Spring
assembly/page-manager.xml file.
Security constraints are far more popular to date, so there is more
documentation available on that approach.
Portlet level security beyond what is available in the JSR-168 API is
not implemented at the moment. There is a JIRA issue open on this and we
are considering adding constraint support at the PSML Fragment level.
> It is conceivable that even if there were psml
>protection, one could devise somekind of URL to gain access to a portlet, no?
>
>
No, not AFAIK.
>So, on this topic, how does one accomplish this? I read the discussion around
>the Permission Manager and was somewhat lost. There seems to be no GUI for
>managing perms and associating them with roles. How do I create permissions
>for my portlets, assign them to roles and enforce them?
>
Like I said, the JAAS Security Permissions is much less popular. Most
people use the PSML Security Constraints support in the Folder and Page
PSML.
> I do not understand
>the purpose or function of the Profiler "rules" at all. Perhaps this is what
>I am missing.
>
The Profiler is an important piece of the access control toolbox. Check
out the archives to this list and/or the profiler/pagemanager/portalsite
component design docs available from SVN HEAD.
>Is there more documentation than what is at:
>http://portals.apache.org/jetspeed-2/multiproject/jetspeed-security/index.html
>
>
>
See: PSML Constraints: http://portals.apache.org/jetspeed-2/bronco.html
HTH,
Randy
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org
Re: [J2] More Security Questions
Posted by David Sean Taylor <da...@bluesunrise.com>.
Aaron Evans wrote:
> So I spent a great deal of today looking at portlet specifications, APIs and
> reading over the jetspeed 2 security documentation.
>
> It looks as though the j2 security model will be quite comprehensive, but it is
> somewhat overwhelming. I have 3 relatively simple tasks that I need to do and
> I am hoping that there are easy answers to them:
>
> 1. I need to apply role based access control to not only psml pages but to
> access to portlets themselves. It is conceivable that even if there were psml
> protection, one could devise somekind of URL to gain access to a portlet, no?
>
well you could turn off all security in your portal via the pipeline
assembly if you'd like to open it up
I thought that the portlet pipeline was left open, but a double check
shows it runs through the security valve
> So, on this topic, how does one accomplish this? I read the discussion around
> the Permission Manager and was somewhat lost. There seems to be no GUI for
> managing perms and associating them with roles. How do I create permissions
> for my portlets, assign them to roles and enforce them? I do not understand
> the purpose or function of the Profiler "rules" at all. Perhaps this is what
> I am missing.
>
No GUI at this time...
Over the next few weeks I'll be refactoring the aggregator. I will look
into (optionally) re-enabling the security policy checks before
rendering a portlet. There are 3 kinds of resources that can be
protected by our policy: folders, pages, portlets. Jetspeed-1 had pages,
portlets and portlet instances. If you look at the DB population scripts
there are some examples of java security policy inserts for ex:
INSERT INTO SECURITY_PERMISSION
VALUES(50,'org.apache.jetspeed.security.FolderPermission','/__subsite-root','view','2004-05-22
16:27:12.572','2004-05-22 16:27:12.572');
Have a look here:
http://portals.apache.org/jetspeed-2/multiproject/jetspeed-commons/apidocs/org/apache/jetspeed/security/
> Is there more documentation than what is at:
> http://portals.apache.org/jetspeed-2/multiproject/jetspeed-security/index.html
>
> 2. I need to make my user administration interface *require* a predefined set
> of user attributes and I'll need to do validation on them. Am I going to have
> to heavily customize the portlets which control this or this there someway to
> do this through configuration? This url:
> http://portals.apache.org/jetspeed-2/user-attributes.html
>
> mentions that "Concrete User attributes are stored using User Preferences for
> which Jetspeed-2 provides its own database back end for storage (which is
> customizable by the way like almost any component of Jetspeed-2)". But does
> not provide any details around what I need to accomplish above. I would think
> this would be a relatively common requirement.
I had to read this 3 times and Im still not sure what this relatively
common requirement is. I'll suggest that you can programmatically update
User attributes:
// via jetspeed service
User user = userManager.getUser(userid);
user.getUserAttributes().put("person.name", personName);
and of course you can retrieve the attributes via the portlet api
and if you require your our backend, replace the user attributes impl
with your own in the userinfo.xml assembly
>
> 3. If I use jetspeed's datastore as my master for user accounts, I will no
> doubt need to replicate some data to another database. I shall need to
> override the UserManager interface I should think. Is doing this just a
> matter of extending org.apache.jetspeed.security.impl.UserManagerImpl,
> putting it in WEB-INF/classes and changing the configured class in
> WEB-INF/assembly/security-managers.xml?
>
Best not to override UserManagerImpl, and instead provide your own SPIs:
http://portals.apache.org/jetspeed-2/multiproject/jetspeed-security/index.html
--
David Sean Taylor
Bluesunrise Software
david@bluesunrise.com
[office] +01 707 773-4646
[mobile] +01 707 529 9194
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org