You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-user@portals.apache.org by "Tiwari, Sunil Kumar" <c_...@qualcomm.com> on 2006/01/13 05:31:29 UTC

access control in jetspeed2 and integration with Spring?s ACEGI security access framework

Hi,

I was looking into the access control in jetspeed2 and I noticed that it uses JAAS Authorization to provide this.
This link is useful for this: http://portals.apache.org/jetspeed-2/multiproject/jetspeed-security/atz-jaas.html

I have some questions here:

1) Can we define more customized roles like privileged users apart from the existing roles like user, manager, admin etc?
2) I think portlet level access control is not provided. Correct me if I am wrong. If I create a simple user then he doesnt have  edit options neither at page level nor  at
   portlet level where as a user as an admin has all. What if I dont want the user to have edit option for the page but for some of the portlets on the page?
   How can it be achieved?
3) How to integrate Spring’s ACEGI security access framework with jetspeed2?

Thanks in advance,
-Sunil

RE: access control in jetspeed2 and integration with Spring?sACEGI security access framework

Posted by "Tiwari, Sunil Kumar" <c_...@qualcomm.com>.
Thanks Randy!

I have updated the JIRA issue JS2-354:

"From a user perspective, its better if no content is displayed. It should appear like the portlet doesnt exist at all i.e the user doesnt know about the portlet on the page.
If we display some message like "Access Forbidden" then it may be confusing or irritating for the end user point of view. The user may want to enquire about the portlet in question which is not a good idea.

For example, I have a page with 10 portlets on it. There are 3 groups of users. One group can see all the portlets, the other one only 8 portlets and the last group can see only 5 portlets.
Now the page should appear normal, I mean, without any error message, to all the groups of users i.e. the page properly adjusted for each group.

The advantage is that you have only one page with all the portlets on it but still serving to different sets of users with access to different subsets of  all the portlets."



Could you elaborate a little on customizer portlet selector?
You said that edit permissions for Fragments are currently inherited by the Page. How to change this inheritence if it is allowed?

And I tried searching the list for David Taylor's comment on Spring's Acegi integration with jetspeed2 without any luck :(
If you have any idea about it, please post it.

Thanks,
Sunil

-----Original Message-----
From: Randy Watler [mailto:watler@wispertel.net]
Sent: Thu 1/12/2006 9:03 PM
To: Jetspeed Users List
Subject: Re: access control in jetspeed2 and integration with Spring?sACEGI security access framework
 
On Thu, 2006-01-12 at 20:31 -0800, Tiwari, Sunil Kumar wrote:
> Hi,
> 
> I was looking into the access control in jetspeed2 and I noticed that it uses JAAS Authorization to provide this.
> This link is useful for this: http://portals.apache.org/jetspeed-2/multiproject/jetspeed-security/atz-jaas.html
> 
> I have some questions here:
> 
> 1) Can we define more customized roles like privileged users apart from the existing roles like user, manager, admin etc?
Yes. Roles are defined and configured using the role management admin
portlet.

> 2) I think portlet level access control is not provided. Correct me if I am wrong. If I create a simple user then he doesnt have  edit options neither at page level nor  at
>    portlet level where as a user as an admin has all. What if I dont want the user to have edit option for the page but for some of the portlets on the page?
>    How can it be achieved?
- Portlet level access can be controlled by the isUserInRole() JSR-168
API within the portlet itself.
- Portlets visible in the customizer portlet selector are configured via
PortletPermissions.
- Page Fragments visibility can be further constrained using security
constraints on the individual Fragments. Edit permissions for Fragments
are currently inherited by the Page.
So, I do not think what you are asking for is currently supported. There
is an open JIRA issue on the current limitations... feel free to add
your requirements to the comments:

https://issues.apache.org/jira/browse/JS2-354


> 3) How to integrate Spring's ACEGI security access framework with jetspeed2?
Not sure. David Taylor looked into ACEGI some time ago, but I dont
recall what the outcome was. As usual, try searching the lists :-).

> 
> Thanks in advance,
> -Sunil
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-user-help@portals.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org

Re: access control in jetspeed2 and integration with Spring?s ACEGI security access framework

Posted by Randy Watler <wa...@wispertel.net>.
On Thu, 2006-01-12 at 20:31 -0800, Tiwari, Sunil Kumar wrote:
> Hi,
> 
> I was looking into the access control in jetspeed2 and I noticed that it uses JAAS Authorization to provide this.
> This link is useful for this: http://portals.apache.org/jetspeed-2/multiproject/jetspeed-security/atz-jaas.html
> 
> I have some questions here:
> 
> 1) Can we define more customized roles like privileged users apart from the existing roles like user, manager, admin etc?
Yes. Roles are defined and configured using the role management admin
portlet.

> 2) I think portlet level access control is not provided. Correct me if I am wrong. If I create a simple user then he doesnt have  edit options neither at page level nor  at
>    portlet level where as a user as an admin has all. What if I dont want the user to have edit option for the page but for some of the portlets on the page?
>    How can it be achieved?
- Portlet level access can be controlled by the isUserInRole() JSR-168
API within the portlet itself.
- Portlets visible in the customizer portlet selector are configured via
PortletPermissions.
- Page Fragments visibility can be further constrained using security
constraints on the individual Fragments. Edit permissions for Fragments
are currently inherited by the Page.
So, I do not think what you are asking for is currently supported. There
is an open JIRA issue on the current limitations... feel free to add
your requirements to the comments:

https://issues.apache.org/jira/browse/JS2-354


> 3) How to integrate Spring’s ACEGI security access framework with jetspeed2?
Not sure. David Taylor looked into ACEGI some time ago, but I dont
recall what the outcome was. As usual, try searching the lists :-).

> 
> Thanks in advance,
> -Sunil
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-user-help@portals.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org