You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-dev@portals.apache.org by Randy Watler <rw...@finali.com> on 2004/11/19 17:17:12 UTC
11/18 Security/Misc Patch
Gang,
FYI, here is a quick summary of what David reviewed and committed for me
yesterday. As usual, feel free to ask any questions that come to mind!
Randy
----------------------------------------------------------------------
To test:
1. When you start the portal, you should see only the default page and
additional links, (no customizer buttons)
2. Login as user: you should see everything as before except the
testsuite page and the Administrative sub directory, (customizer
buttons only visible on user pages)
3. Login as manager: everything should be be visible except the
testsuite page, (no customizer buttons)
4. Login as jetspeed: everything should be visible, (no customizer
buttons)
5. Login as admin: everything should be visible, (full customizer
buttons)
Notes:
- Both permissions, (JAAS), and constraints, (J1 style), are enabled,
(in assembly/page-manaager.xml on the CastorXmlPageManager init)
- Both are configured to secure the same entities, except the testsuite
page access is specified only in the constraints.
- The permissions are configured in the 4 populate-userinfo sql scripts.
- The constraints are set up in WEB-INF/pages:
/page.security
/folder.metadata
/Administrative/folder.metadata
/default-page.psml
/testsuite.psml
/_user/user/folder.metadata
In addition to the core Security functionality, the following "bonus"
changes are in this patch:
- Corrected various page document tags to use lower-dash case instead of
lowerCamel case.
- Removed security checks from PageAggregator.
- Deprecated ACL members from page documents and usage in
SiteDetailPortlet.java
- Removed logging from FolderPermission in commons.
- Added 403 returns in ProfilerValveImpl for SecurityExceptions
- Added short-title support to pages, (see nested-layout.psml), and
decorators/templates.
- Cleaned up SecurityValveImpl to ensure RequestContext Subject is
propagated using Subject.doAsPrivileged().
- Added groups to user and jetspeed logins to use for testing purposes.
- Added code in JPT that uses page.checkAccess() to limit customizer
page actions.
- Added rollovers for full title display in tigris and jetspeed page
layout decorators/templates.
Things that remain to be done:
- Implement view/edit action checks in PageManager for
get/new/update/remove APIs.