You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jetspeed-user@portals.apache.org by p_...@volny.cz on 2010/02/08 01:51:49 UTC

Security constraints working, at portlet/portlet app level?

Is security constraint enforcement implemented for portlets?

Constraints work fine for me when used with pages and folders.

But on the level of portlets, whether I configure a 'deny' constraint
with jetspeed-portlet.xml
(at app level or portlet level) or using the Admin portlet to edit the
portlet metadata, my portlet still renders itself on the page without
complaint even when the user's not logged in. It happens even if I delete
the user view/edit Permission that's created by default for my portal
app war.

I am guessing that this doesn't bother people because they use only page-level
security? Or they secure only one page's instance of a portlet via a
fragment?

Just to check that it's not my portlet specifically, I stuck an instance
of j2-admin::RegistryApplicationsList on my subsite home page (portlet
should have constraint 'admin' from its app) and it too gets displayed
even when a user's not logged in.

Maybe it's a configuration flag somewhere, or maybe I've just failed
to grasp how the security inheritance and permission/constraint combination
works.


---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org

Re: Security constraints working, at portlet/portlet app level?

Posted by p_...@volny.cz.

That's great, thanks!

I had read the guide to declarative security, and in its otherwise very
clear and detailed explanations it doesn't note that render time checking
is disabled by default for portlets. Neither does the portlet registry
guide, unless it escaped me.

I think most people would assume that Jetspeed enforces *all* your security
declarations by default.

Maybe someone could paste the relevant part of the email into the documentation?
In the declarative security guide there are nice paragraphs about securing
pages and fragments, and a note that enforcement is on by default -
a similar paragraph for portlets would save people puzzlement. Apologies
if there is one and I've just missed it.

----- PŮVODNÍ ZPRÁVA -----
Od: "David Sean Taylor" <d....@onehippo.com>
Komu: "Jetspeed Users List" <je...@portals.apache.org>
Předmět: Re: Security constraints working, at portlet/portlet app
Datum: 8.2.2010 - 21:57:10

> On Sun, Feb 7, 2010 at 4:51 PM, <p_...@volny.cz>
> wrote:
> 
> > Is security constraint enforcement implemented for
> > portlets?
> > >
> > Yes. This question was answered on Jan 21, 2010,
> > I will re-paste it in:
> > 
> Finally, as a last resort/catch-all handling, you can
> also enforce security
> constraints checking at render time.
> 
> If enabled (default: false), a portlet  which is not
> accessible to be viewed
> by the user, regardless the current page or fragment,
> will not be rendered
> and an "Access Denied" error message will be rendered
> instead.
> To enable this feature, you'll have to change a Spring
> configuration setting
> in WEB-INF/assembly/aggregation.xml.
> Find bean with id="org.apache.jetspeed.aggregator.PortletRenderer"
> and
> change the 4th constructor-arg element from false ->
> true
> (see also inline comment in the bean definition)
> 
> <!-- Portlet Renderer -->
> <bean id="org.apache.jetspeed.aggregator.PortletRenderer"
> class="org.apache.jetspeed.aggregator.impl.PortletRendererImpl"
> init-method="start" destroy-method="stop">
> <meta key="j2:cat" value="default" />
> <constructor-arg>
> <ref bean="org.apache.pluto.PortletContainer" />
> </constructor-arg>
> <constructor-arg>
> <ref bean="org.apache.jetspeed.aggregator.WorkerMonitor"
> />
> </constructor-arg>
> <constructor-arg>
> <ref bean="PortalStatistics" />
> </constructor-arg>
> <constructor-arg>
> <ref bean="org.apache.jetspeed.aggregator.PortletTrackingManager"
> />
> </constructor-arg>
> <!-- flag indicating whether to check jetspeed-portlet.xml
> security
> constraints
> before rendering a portlet. If security check fails,
> do not display
> portlet content
> -->
> <constructor-arg type="boolean">
> <value>true</value>
> </constructor-arg>
> <constructor-arg>
> <ref bean="org.apache.jetspeed.security.SecurityAccessController"
> />
> </constructor-arg>
> <constructor-arg>
> <ref bean="portletContentCache" />
> </constructor-arg>
> </bean>
> 
> 
> NOTE: The Portlet Selector filters out portlets based
> on security constraint
> checks as well



---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org

Re: Security constraints working, at portlet/portlet app level?

Posted by David Sean Taylor <d....@onehippo.com>.

On Sun, Feb 7, 2010 at 4:51 PM, <p_...@volny.cz> wrote:

> Is security constraint enforcement implemented for portlets?
>
> Yes. This question was answered on Jan 21, 2010, I will re-paste it in:

Finally, as a last resort/catch-all handling, you can also enforce security
constraints checking at render time.

If enabled (default: false), a portlet  which is not accessible to be viewed
by the user, regardless the current page or fragment, will not be rendered
and an "Access Denied" error message will be rendered instead.
To enable this feature, you'll have to change a Spring configuration setting
in WEB-INF/assembly/aggregation.xml.
Find bean with id="org.apache.jetspeed.aggregator.PortletRenderer" and
change the 4th constructor-arg element from false -> true
(see also inline comment in the bean definition)

 <!-- Portlet Renderer -->
 <bean id="org.apache.jetspeed.aggregator.PortletRenderer"
   class="org.apache.jetspeed.aggregator.impl.PortletRendererImpl"
init-method="start" destroy-method="stop">
   <meta key="j2:cat" value="default" />
   <constructor-arg>
     <ref bean="org.apache.pluto.PortletContainer" />
   </constructor-arg>
   <constructor-arg>
     <ref bean="org.apache.jetspeed.aggregator.WorkerMonitor" />
   </constructor-arg>
   <constructor-arg>
     <ref bean="PortalStatistics" />
   </constructor-arg>
   <constructor-arg>
     <ref bean="org.apache.jetspeed.aggregator.PortletTrackingManager" />
   </constructor-arg>
   <!-- flag indicating whether to check jetspeed-portlet.xml security
constraints
     before rendering a portlet. If security check fails, do not display
portlet content
   -->
   <constructor-arg type="boolean">
     <value>true</value>
   </constructor-arg>
   <constructor-arg>
     <ref bean="org.apache.jetspeed.security.SecurityAccessController" />
   </constructor-arg>
   <constructor-arg>
     <ref bean="portletContentCache" />
   </constructor-arg>
 </bean>

NOTE: The Portlet Selector filters out portlets based on security constraint
checks as well