You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jetspeed-user@portals.apache.org by Aaron Evans <aa...@yahoo.ca> on 2005/09/08 22:42:59 UTC

[J2] More Security Questions

So I spent a great deal of today looking at portlet specifications, APIs and 
reading over the jetspeed 2 security documentation.

It looks as though the j2 security model will be quite comprehensive, but it is 
somewhat overwhelming.   I have 3 relatively simple tasks that I need to do and 
I am hoping that there are easy answers to them:

1. I need to apply role based access control to not only psml pages but to 
access to portlets themselves.  It is conceivable that even if there were psml 
protection, one could devise somekind of URL to gain access to a portlet, no?

So, on this topic, how does one accomplish this?  I read the discussion around 
the Permission Manager and was somewhat lost. There seems to be no GUI for 
managing perms and associating them with roles.  How do I create permissions 
for my portlets, assign them to roles and enforce them?  I do not understand 
the purpose or function of the Profiler "rules" at all. Perhaps this is what 
I am missing.

Is there more documentation than what is at:
http://portals.apache.org/jetspeed-2/multiproject/jetspeed-security/index.html

2. I need to make my user administration interface *require* a predefined set 
of user attributes and I'll need to do validation on them.  Am I going to have 
to heavily customize the portlets which control this or this there someway to 
do this through configuration? This url:
http://portals.apache.org/jetspeed-2/user-attributes.html

mentions that "Concrete User attributes are stored using User Preferences for 
which Jetspeed-2 provides its own database back end for storage (which is 
customizable by the way like almost any component of Jetspeed-2)".  But does 
not provide any details around what I need to accomplish above.  I would think 
this would be a relatively common requirement.

3. If I use jetspeed's datastore as my master for user accounts, I will no 
doubt need to replicate some data to another database.  I shall need to 
override the UserManager interface I should think.  Is doing this just a 
matter of extending org.apache.jetspeed.security.impl.UserManagerImpl, 
putting it in WEB-INF/classes and changing the configured class in
WEB-INF/assembly/security-managers.xml?

Comments on the above questions will be greatly appreciated.

thx,
aaron



---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org

Re: [J2] More Security Questions

Posted by Randy Watler <wa...@wispertel.net>.

Aaron,

Next time, post your questions in separate emails... makes it easier to 
reply to one thread... :-)

>1. I need to apply role based access control to not only psml pages but to 
>access to portlets themselves.
>
One can use PSML Security Constraints or JAAS Security Permissions. The 
PageManager supports both and can be configured using the Spring 
assembly/page-manager.xml file.

Security constraints are far more popular to date, so there is more 
documentation available on that approach.

Portlet level security beyond what is available in the JSR-168 API is 
not implemented at the moment. There is a JIRA issue open on this and we 
are considering adding constraint support at the PSML Fragment level.

>  It is conceivable that even if there were psml 
>protection, one could devise somekind of URL to gain access to a portlet, no?
>  
>
No, not AFAIK.

>So, on this topic, how does one accomplish this?  I read the discussion around 
>the Permission Manager and was somewhat lost. There seems to be no GUI for 
>managing perms and associating them with roles.  How do I create permissions 
>for my portlets, assign them to roles and enforce them?
>
Like I said, the JAAS Security Permissions is much less popular. Most 
people use the PSML Security Constraints support in the Folder and Page 
PSML.

>  I do not understand 
>the purpose or function of the Profiler "rules" at all. Perhaps this is what 
>I am missing.
>
The Profiler is an important piece of the access control toolbox. Check 
out the archives to this list and/or the profiler/pagemanager/portalsite 
component design docs available from SVN HEAD.

>Is there more documentation than what is at:
>http://portals.apache.org/jetspeed-2/multiproject/jetspeed-security/index.html
>
>  
>
See: PSML Constraints: http://portals.apache.org/jetspeed-2/bronco.html


HTH,

Randy


---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org

Re: [J2] More Security Questions

Posted by David Sean Taylor <da...@bluesunrise.com>.

Aaron Evans wrote:
> So I spent a great deal of today looking at portlet specifications, APIs and 
> reading over the jetspeed 2 security documentation.
> 
> It looks as though the j2 security model will be quite comprehensive, but it is 
> somewhat overwhelming.   I have 3 relatively simple tasks that I need to do and 
> I am hoping that there are easy answers to them:
> 
> 1. I need to apply role based access control to not only psml pages but to 
> access to portlets themselves.  It is conceivable that even if there were psml 
> protection, one could devise somekind of URL to gain access to a portlet, no?
> 
well you could turn off all security in your portal via the pipeline 
assembly if you'd like to open it up

I thought that the portlet pipeline was left open, but a double check 
shows it runs through the security valve

> So, on this topic, how does one accomplish this?  I read the discussion around 
> the Permission Manager and was somewhat lost. There seems to be no GUI for 
> managing perms and associating them with roles.  How do I create permissions 
> for my portlets, assign them to roles and enforce them?  I do not understand 
> the purpose or function of the Profiler "rules" at all. Perhaps this is what 
> I am missing.
> 
No GUI at this time...

Over the next few weeks I'll be refactoring the aggregator. I will look 
into (optionally) re-enabling the security policy checks before 
rendering a portlet. There are 3 kinds of resources that can be 
protected by our policy: folders, pages, portlets. Jetspeed-1 had pages, 
portlets and portlet instances. If you look at the DB population scripts 
there are some examples of java security policy inserts for ex:

INSERT INTO SECURITY_PERMISSION 
VALUES(50,'org.apache.jetspeed.security.FolderPermission','/__subsite-root','view','2004-05-22 
16:27:12.572','2004-05-22 16:27:12.572');

Have a look here:

http://portals.apache.org/jetspeed-2/multiproject/jetspeed-commons/apidocs/org/apache/jetspeed/security/


> Is there more documentation than what is at:
> http://portals.apache.org/jetspeed-2/multiproject/jetspeed-security/index.html
> 
> 2. I need to make my user administration interface *require* a predefined set 
> of user attributes and I'll need to do validation on them.  Am I going to have 
> to heavily customize the portlets which control this or this there someway to 
> do this through configuration? This url:
> http://portals.apache.org/jetspeed-2/user-attributes.html
> 
> mentions that "Concrete User attributes are stored using User Preferences for 
> which Jetspeed-2 provides its own database back end for storage (which is 
> customizable by the way like almost any component of Jetspeed-2)".  But does 
> not provide any details around what I need to accomplish above.  I would think 
> this would be a relatively common requirement.

I had to read this 3 times and Im still not sure what this relatively 
common requirement is. I'll suggest that you can programmatically update 
User attributes:

// via jetspeed service
User user = userManager.getUser(userid);
user.getUserAttributes().put("person.name", personName);

and of course you can retrieve the attributes via the portlet api

and if you require your our backend, replace the user attributes impl 
with your own in the userinfo.xml assembly

> 
> 3. If I use jetspeed's datastore as my master for user accounts, I will no 
> doubt need to replicate some data to another database.  I shall need to 
> override the UserManager interface I should think.  Is doing this just a 
> matter of extending org.apache.jetspeed.security.impl.UserManagerImpl, 
> putting it in WEB-INF/classes and changing the configured class in
> WEB-INF/assembly/security-managers.xml?
> 
Best not to override UserManagerImpl, and instead provide your own SPIs:

http://portals.apache.org/jetspeed-2/multiproject/jetspeed-security/index.html


-- 
David Sean Taylor
Bluesunrise Software
david@bluesunrise.com
[office] +01 707 773-4646
[mobile] +01 707 529 9194

---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org