You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jetspeed-user@portals.apache.org by Prashanth Gujjeti <Pr...@transerainc.com> on 2005/08/25 20:59:41 UTC

[J2] Security - Specifying the policies

Hi all,
  We are trying to hook-up our own custom security valve into the
Jetspeed2 pipeline to bypass the J2's authentication mechanism as
suggested in the forums. We created the Security Valve and we are able
to bypass the authentication successfully. Thanks a bunch to Randy and
others who answered our previous queries.

However, I have a couple of questions regarding the authorization
policies. How do we define Security permissions, say for a role? One way
to accomplish this is through the PSML pages/folder metadata/global
security preferences. But, how do we define a policy that defines the
security preferences based on a Principal (role/group/user). Here is
what I could figure out from J2's schema:

- SECURITY_PRINCIPAL defines roles, groups, and users.

- SECURITY_PERMISSION defines security permissions (on folders, and
pages. I didn't find any for portlets)

- PRINCIPAL_PERMISSION relates the principals and permissions
effectively providing different permissions based on role/user/group

How could we add permission entries to these tables (effectively
defining policies per user/group/role)? And how would these permissions
aggregate. i.e. If a given user's principals (user/role/geoup) have
conflicting permissions, which one would take precedence?

Essentially, we are trying to create a security policy based on the
principals, rather than having to manage the distributed security
constraints under the various PSML/folder.metadata files. The security
design-doc -
{JETSPEED-SRC}/design-docs/src/security/SecurityDesignNotes.txt -
mentions something about granting principals:

###########
grant principal o.a.j.security.RolePrincipal "theRolePrincipal" {
  permission o.a.j.security.PagePermission "mypage", "view";
  permission o.a.j.security.PortletPermission "myportlet",
"view,edit,minimize,maximize";
  permission o.a.j.security.TabPermission "mytab", "view";
};   
###########

Where do we define these security policies/prinicipals? I am not
well-versed with JAAS - so please excuse my ignorance, if these
questions are too fundamental. I could provide more details, if
required.

Your comments/answers are much appreciated.

Thanks
- Prashanth

---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org

Re: [J2] Security - Specifying the policies

Posted by Randy Watler <wa...@wispertel.net>.

Prashanth,

There are two security models available... see this in page-manager.xml:

<bean id="org.apache.jetspeed.page.PageManager"
name="pageManager"
class="org.apache.jetspeed.page.impl.CastorXmlPageManager">
<constructor-arg index="0"><ref bean="IdGenerator"/></constructor-arg>
<constructor-arg index="1"><ref 
bean="DocumentHandlerFactory"/></constructor-arg>
<constructor-arg index="2"><ref bean="FolderHandler"/></constructor-arg>
<constructor-arg index="3"><ref bean="PageFileCache"/></constructor-arg>
<!-- permissions security enabled flag, default=false -->
<constructor-arg index="4"><value>false</value></constructor-arg>
<!-- constraints security enabled flag, default=true -->
<constructor-arg index="5"><value>true</value></constructor-arg>
</bean>

You will want to disable the constraints, (PSML), and enable the 
permissions, (java.security/FilePermission). Then, look here in 
populate-userinfo-for-default-psml.sql:

INSERT INTO SECURITY_PERMISSION 
VALUES(1,'org.apache.jetspeed.security.FolderPermission','<<ALL 
FILES>>','view, edit','2004-05-22 16:27:12.572','2004-05-22 16:27:12.572');
INSERT INTO SECURITY_PERMISSION 
VALUES(2,'org.apache.jetspeed.security.FolderPermission','<<ALL 
FILES>>','view','2004-05-22 16:27:12.572','2004-05-22 16:27:12.572');
INSERT INTO SECURITY_PERMISSION 
VALUES(3,'org.apache.jetspeed.security.FolderPermission','/','view','2004-05-22 
16:27:12.572','2004-05-22 16:27:12.572');
INSERT INTO SECURITY_PERMISSION 
VALUES(4,'org.apache.jetspeed.security.FolderPermission','/*','view','2004-05-22 
16:27:12.572','2004-05-22 16:27:12.572');
INSERT INTO SECURITY_PERMISSION 
VALUES(5,'org.apache.jetspeed.security.FolderPermission','/non-java/-','view','2004-05-22 
16:27:12.572','2004-05-22 16:27:12.572');
INSERT INTO SECURITY_PERMISSION 
VALUES(6,'org.apache.jetspeed.security.FolderPermission','/third-party/-','view','2004-05-22
16:27:12.572','2004-05-22 16:27:12.572');
INSERT INTO SECURITY_PERMISSION 
VALUES(7,'org.apache.jetspeed.security.FolderPermission','/Public','view, 
edit','2004-05-22 16:27:12.572','2004-05-22 16:27:12.572');
INSERT INTO SECURITY_PERMISSION 
VALUES(8,'org.apache.jetspeed.security.FolderPermission','/Public/-','view, 
edit','2004-05-22 16:27:12.572','2004-05-22 16:27:12.572');
INSERT INTO SECURITY_PERMISSION 
VALUES(9,'org.apache.jetspeed.security.FolderPermission','/anotherdir/-','view','2004-05-22 
16:27:12.572','2004-05-22 16:27:12.572');
INSERT INTO SECURITY_PERMISSION 
VALUES(10,'org.apache.jetspeed.security.FolderPermission','/top-links/-','view','2004-05-22 
16:27:12.572','2004-05-22 16:27:12.572');
INSERT INTO SECURITY_PERMISSION 
VALUES(11,'org.apache.jetspeed.security.PagePermission','/default-page.psml','view','2004-05-22 
16:27:12.572','2004-05-22 16:27:12.572');
INSERT INTO SECURITY_PERMISSION 
VALUES(12,'org.apache.jetspeed.security.PagePermission','/rss.psml','view','2004-05-22 
16:27:12.572','2004-05-22 16:27:12.572');
INSERT INTO SECURITY_PERMISSION 
VALUES(13,'org.apache.jetspeed.security.FolderPermission','/_user/user','view, 
edit','2004-05-22 16:27:12.572','2004-05-22 16:27:12.572');
INSERT INTO SECURITY_PERMISSION 
VALUES(14,'org.apache.jetspeed.security.FolderPermission','/_user/user/-','view, 
edit','2004-05-22 16:27:12.572','2004-05-22 16:27:12.572');
INSERT INTO PRINCIPAL_PERMISSION VALUES(3,13);
INSERT INTO PRINCIPAL_PERMISSION VALUES(3,14);
INSERT INTO PRINCIPAL_PERMISSION VALUES(6,1);
INSERT INTO PRINCIPAL_PERMISSION VALUES(7,2);
INSERT INTO PRINCIPAL_PERMISSION VALUES(8,3);
INSERT INTO PRINCIPAL_PERMISSION VALUES(8,4);
INSERT INTO PRINCIPAL_PERMISSION VALUES(8,5);
INSERT INTO PRINCIPAL_PERMISSION VALUES(8,6);
INSERT INTO PRINCIPAL_PERMISSION VALUES(8,8);
INSERT INTO PRINCIPAL_PERMISSION VALUES(8,9);
INSERT INTO PRINCIPAL_PERMISSION VALUES(8,10);
INSERT INTO PRINCIPAL_PERMISSION VALUES(10,3);
INSERT INTO PRINCIPAL_PERMISSION VALUES(10,7);
INSERT INTO PRINCIPAL_PERMISSION VALUES(10,8);
INSERT INTO PRINCIPAL_PERMISSION VALUES(10,11);
INSERT INTO PRINCIPAL_PERMISSION VALUES(10,12);

This attempts to set similar permissions to the constraints in the PSML 
for the demo site. Note that the two models differ slightly and the 
constraint model has a few features that cannot be supported here.

HTH,

Randy

Prashanth Gujjeti wrote:

>Hi all,
>  We are trying to hook-up our own custom security valve into the
>Jetspeed2 pipeline to bypass the J2's authentication mechanism as
>suggested in the forums. We created the Security Valve and we are able
>to bypass the authentication successfully. Thanks a bunch to Randy and
>others who answered our previous queries.
>
>However, I have a couple of questions regarding the authorization
>policies. How do we define Security permissions, say for a role? One way
>to accomplish this is through the PSML pages/folder metadata/global
>security preferences. But, how do we define a policy that defines the
>security preferences based on a Principal (role/group/user). Here is
>what I could figure out from J2's schema:
>
>- SECURITY_PRINCIPAL defines roles, groups, and users.
>
>- SECURITY_PERMISSION defines security permissions (on folders, and
>pages. I didn't find any for portlets)
>
>- PRINCIPAL_PERMISSION relates the principals and permissions
>effectively providing different permissions based on role/user/group
>
>How could we add permission entries to these tables (effectively
>defining policies per user/group/role)? And how would these permissions
>aggregate. i.e. If a given user's principals (user/role/geoup) have
>conflicting permissions, which one would take precedence?
>
>Essentially, we are trying to create a security policy based on the
>principals, rather than having to manage the distributed security
>constraints under the various PSML/folder.metadata files. The security
>design-doc -
>{JETSPEED-SRC}/design-docs/src/security/SecurityDesignNotes.txt -
>mentions something about granting principals:
>
>###########
>grant principal o.a.j.security.RolePrincipal "theRolePrincipal" {
>  permission o.a.j.security.PagePermission "mypage", "view";
>  permission o.a.j.security.PortletPermission "myportlet",
>"view,edit,minimize,maximize";
>  permission o.a.j.security.TabPermission "mytab", "view";
>};   
>###########
>
>Where do we define these security policies/prinicipals? I am not
>well-versed with JAAS - so please excuse my ignorance, if these
>questions are too fundamental. I could provide more details, if
>required.
>
>Your comments/answers are much appreciated.
>
>Thanks
>- Prashanth
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
>For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>
>
>
>  
>



---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org