You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-dev@portals.apache.org by Randy Watler <rw...@finali.com> on 2004/11/19 17:17:12 UTC

11/18 Security/Misc Patch

Gang,

FYI, here is a quick summary of what David reviewed and committed for me
yesterday. As usual, feel free to ask any questions that come to mind!

Randy

----------------------------------------------------------------------

To test:

1. When you start the portal, you should see only the default page and
   additional links, (no customizer buttons)
2. Login as user: you should see everything as before except the
   testsuite page and the Administrative sub directory, (customizer
   buttons only visible on user pages)
3. Login as manager: everything should be be visible except the
   testsuite page, (no customizer buttons)
4. Login as jetspeed: everything should be visible, (no customizer 
   buttons)
5. Login as admin: everything should be visible, (full customizer
   buttons)

Notes:

- Both permissions, (JAAS), and constraints, (J1 style), are enabled,
(in assembly/page-manaager.xml on the CastorXmlPageManager init)
- Both are configured to secure the same entities, except the testsuite
page access is specified only in the constraints.
- The permissions are configured in the 4 populate-userinfo sql scripts.
- The constraints are set up in WEB-INF/pages:
  /page.security
  /folder.metadata
  /Administrative/folder.metadata
  /default-page.psml
  /testsuite.psml
  /_user/user/folder.metadata

In addition to the core Security functionality, the following "bonus"
changes are in this patch:

- Corrected various page document tags to use lower-dash case instead of
  lowerCamel case.
- Removed security checks from PageAggregator.
- Deprecated ACL members from page documents and usage in
  SiteDetailPortlet.java
- Removed logging from FolderPermission in commons.
- Added 403 returns in ProfilerValveImpl for SecurityExceptions
- Added short-title support to pages, (see nested-layout.psml), and
  decorators/templates.
- Cleaned up SecurityValveImpl to ensure RequestContext Subject is
  propagated using Subject.doAsPrivileged().
- Added groups to user and jetspeed logins to use for testing purposes.
- Added code in JPT that uses page.checkAccess() to limit customizer
  page actions.
- Added rollovers for full title display in tigris and jetspeed page
  layout decorators/templates.

Things that remain to be done:

- Implement view/edit action checks in PageManager for
  get/new/update/remove APIs.