You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-user@portals.apache.org by Aaron Evans <aa...@yahoo.ca> on 2005/09/08 16:59:56 UTC
[J2] web.xml security constraints not respected
I have added struts and JSF applications to my jetspeed2 portal.
What I have found is that once a user authenticates through the portal,
then the request.getPrincipal() and request.isUserInRole() methods work
as expected within my applications.
However, any security constraints specified in the application's web.xml file
are *not* respected when the application is accessed through the portal, but
they are when you access the application directly.
For example, I define the following security constraint and role in my web.xml:
<security-constraint>
<display-name>Admin Pages</display-name>
<web-resource-collection>
<web-resource-name>Admin Pages</web-resource-name>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>admin</role-name>
</security-role>
If I have a resource /admin/admin.jsp, I can access through the portal without
authenticating or if I authenticate as a user that is not in the admin role.
If I access it outside the portal without authenticating, I am denied access.
Is this a known limitation or a bug?
On my admin.jsp page, I have output request.getRequestURI and
request.getRequestURL and I get the following values:
URI: /jsfapp/admin/admin.jsp
URL: null
Is this also expected behaviour (ie. that the requestURL is null)? If so, then
perhaps my security constraints are not being respected because tomcat is using
the URL and not the URI?
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org
Re: [J2] web.xml security constraints not respected
Posted by David Sean Taylor <da...@bluesunrise.com>.
Aaron Evans wrote:
> I have added struts and JSF applications to my jetspeed2 portal.
>
> What I have found is that once a user authenticates through the portal,
> then the request.getPrincipal() and request.isUserInRole() methods work
> as expected within my applications.
>
> However, any security constraints specified in the application's web.xml file
> are *not* respected when the application is accessed through the portal, but
> they are when you access the application directly.
>
> For example, I define the following security constraint and role in my web.xml:
>
> <security-constraint>
> <display-name>Admin Pages</display-name>
> <web-resource-collection>
> <web-resource-name>Admin Pages</web-resource-name>
> <url-pattern>/admin/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>admin</role-name>
> </auth-constraint>
> </security-constraint>
>
> <security-role>
> <role-name>admin</role-name>
> </security-role>
>
> If I have a resource /admin/admin.jsp, I can access through the portal without
> authenticating or if I authenticate as a user that is not in the admin role.
> If I access it outside the portal without authenticating, I am denied access.
>
> Is this a known limitation or a bug?
>
My interpretation is Its a bug.
We need to run the security check before dispatching to the servlet.
Log a JIRA issue
From spec:
PLT.20.2 Roles
The portlet specification shares the same definition as roles of the
Servlet Specification
> On my admin.jsp page, I have output request.getRequestURI and
> request.getRequestURL and I get the following values:
>
> URI: /jsfapp/admin/admin.jsp
> URL: null
>
> Is this also expected behaviour (ie. that the requestURL is null)? If so, then
> perhaps my security constraints are not being respected because tomcat is using
> the URL and not the URI?
>
>
I think the NULL is correct, from the spec:
PLT.16.3.3 Request and Response objects for Included
15 Servlets/JSPs
The target servlet or JSP of portlet request dispatcher has access to a
limited set of
methods of the request and the response objects.
The following methods of the HttpServletRequest must return null:
getProtocol,
getRemoteAddr, getRemoteHost, getRealPath, and getRequestURL.
--
David Sean Taylor
Bluesunrise Software
david@bluesunrise.com
[office] +01 707 773-4646
[mobile] +01 707 529 9194
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org
Re: Charset problem
Posted by Santiago Urrizola <ch...@yahoo.com.ar>.
but i dont know what file it is ...
the decorator.top ... the psml who containts the porlet .. the .jsp ... ??
----- Original Message -----
From: "Shinsuke SUGAYA" <sh...@yahoo.co.jp>
To: "Jetspeed Users List" <je...@portals.apache.org>
Sent: Monday, September 12, 2005 6:29 PM
Subject: Re: Charset problem
> Santiago Urrizola wrote:
>> I change to UTF-8 and dosnt work too.
>
> Could you send the file to me directly?
> I'll check if it's a bug or not.
>
> Thanks,
> shinsuke
>
>>
>> ----- Original Message ----- From: "Shinsuke SUGAYA"
>> <sh...@yahoo.co.jp>
>> To: "Jetspeed Users List" <je...@portals.apache.org>
>> Sent: Friday, September 09, 2005 6:55 PM
>> Subject: Re: Charset problem
>>
>>
>>> Santiago Urrizola wrote:
>>>
>>>> Hi, i work with J2-M4 and have a problem (i think) with the charset. In
>>>> many links on the left menu, i have something like this B?squeda
>>>> Avanzada, i change the charset to ISO-8859-1 ) (in psml, and
>>>> folder.metadata, and decorator.top) but the ú or ó or í dosnt appears,
>>>> i change the charset in the media type too.
>>>
>>>
>>> If you put these characters with UTF-8, I think it will be displayed.
>>>
>>> Thanks,
>>> shinsuke
>>>
>>>> Thanks a lot.
>>>> Santiago
>>>>
>>>> ----- Original Message ----- From: "Aaron Evans" <aa...@yahoo.ca>
>>>> To: <je...@jakarta.apache.org>
>>>> Sent: Friday, September 09, 2005 11:16 AM
>>>> Subject: Re: [J2] web.xml security constraints not respected
>>>>
>>>>
>>>>> Aaron Evans <aaronmevans <at> yahoo.ca> writes:
>>>>>
>>>>>>
>>>>>> I have added struts and JSF applications to my jetspeed2 portal.
>>>>>>
>>>>>> What I have found is that once a user authenticates through the
>>>>>> portal,
>>>>>> then the request.getPrincipal() and request.isUserInRole() methods
>>>>>> work
>>>>>> as expected within my applications.
>>>>>>
>>>>>> However, any security constraints specified in the application's
>>>>>> web.xml file
>>>>>> are *not* respected when the application is accessed through the
>>>>>> portal, but
>>>>>> they are when you access the application directly.
>>>>>>
>>>>>
>>>>> I have done further research and reading and I think my confusion was
>>>>> due
>>>>> to a lack of knowledge around the portlet specification. I will
>>>>> experiment
>>>>> with using the security-constraint and security-role elements in my
>>>>> portlet.xml.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
>>>>> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>>>>>
>>>>
>>>>
>>>> ___________________________________________________________ 1GB
>>>> gratis, Antivirus y Antispam Correo Yahoo!, el mejor correo web del
>>>> mundo http://correo.yahoo.com.ar
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
>>>> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>>>>
>>>>
>>>
>>> __________________________________
>>> Take an action against poverty
>>> http://pr.mail.yahoo.co.jp/whiteband/
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
>>> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>>>
>>
>>
>> ___________________________________________________________ 1GB
>> gratis, Antivirus y Antispam Correo Yahoo!, el mejor correo web del mundo
>> http://correo.yahoo.com.ar
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
>> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>>
>>
>
> __________________________________
> Take an action against poverty
> http://pr.mail.yahoo.co.jp/whiteband/
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>
___________________________________________________________
1GB gratis, Antivirus y Antispam
Correo Yahoo!, el mejor correo web del mundo
http://correo.yahoo.com.ar
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org
Re: Charset problem
Posted by Shinsuke SUGAYA <sh...@yahoo.co.jp>.
Santiago Urrizola wrote:
> I change to UTF-8 and dosnt work too.
Could you send the file to me directly?
I'll check if it's a bug or not.
Thanks,
shinsuke
>
> ----- Original Message ----- From: "Shinsuke SUGAYA" <sh...@yahoo.co.jp>
> To: "Jetspeed Users List" <je...@portals.apache.org>
> Sent: Friday, September 09, 2005 6:55 PM
> Subject: Re: Charset problem
>
>
>> Santiago Urrizola wrote:
>>
>>> Hi, i work with J2-M4 and have a problem (i think) with the charset.
>>> In many links on the left menu, i have something like this B?squeda
>>> Avanzada, i change the charset to ISO-8859-1 ) (in psml, and
>>> folder.metadata, and decorator.top) but the ú or ó or í dosnt
>>> appears, i change the charset in the media type too.
>>
>>
>> If you put these characters with UTF-8, I think it will be displayed.
>>
>> Thanks,
>> shinsuke
>>
>>> Thanks a lot.
>>> Santiago
>>>
>>> ----- Original Message ----- From: "Aaron Evans" <aa...@yahoo.ca>
>>> To: <je...@jakarta.apache.org>
>>> Sent: Friday, September 09, 2005 11:16 AM
>>> Subject: Re: [J2] web.xml security constraints not respected
>>>
>>>
>>>> Aaron Evans <aaronmevans <at> yahoo.ca> writes:
>>>>
>>>>>
>>>>> I have added struts and JSF applications to my jetspeed2 portal.
>>>>>
>>>>> What I have found is that once a user authenticates through the
>>>>> portal,
>>>>> then the request.getPrincipal() and request.isUserInRole() methods
>>>>> work
>>>>> as expected within my applications.
>>>>>
>>>>> However, any security constraints specified in the application's
>>>>> web.xml file
>>>>> are *not* respected when the application is accessed through the
>>>>> portal, but
>>>>> they are when you access the application directly.
>>>>>
>>>>
>>>> I have done further research and reading and I think my confusion
>>>> was due
>>>> to a lack of knowledge around the portlet specification. I will
>>>> experiment
>>>> with using the security-constraint and security-role elements in my
>>>> portlet.xml.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
>>>> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>>>>
>>>
>>>
>>> ___________________________________________________________ 1GB
>>> gratis, Antivirus y Antispam Correo Yahoo!, el mejor correo web del
>>> mundo http://correo.yahoo.com.ar
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
>>> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>>>
>>>
>>
>> __________________________________
>> Take an action against poverty
>> http://pr.mail.yahoo.co.jp/whiteband/
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
>> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>>
>
>
>
>
>
>
> ___________________________________________________________ 1GB gratis,
> Antivirus y Antispam Correo Yahoo!, el mejor correo web del mundo
> http://correo.yahoo.com.ar
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>
>
__________________________________
Take an action against poverty
http://pr.mail.yahoo.co.jp/whiteband/
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org
Re: Charset problem
Posted by Santiago Urrizola <ch...@yahoo.com.ar>.
I change to UTF-8 and dosnt work too.
----- Original Message -----
From: "Shinsuke SUGAYA" <sh...@yahoo.co.jp>
To: "Jetspeed Users List" <je...@portals.apache.org>
Sent: Friday, September 09, 2005 6:55 PM
Subject: Re: Charset problem
> Santiago Urrizola wrote:
>> Hi, i work with J2-M4 and have a problem (i think) with the charset. In
>> many links on the left menu, i have something like this B?squeda
>> Avanzada, i change the charset to ISO-8859-1 ) (in psml, and
>> folder.metadata, and decorator.top) but the ú or ó or í dosnt appears, i
>> change the charset in the media type too.
>
> If you put these characters with UTF-8, I think it will be displayed.
>
> Thanks,
> shinsuke
>
>> Thanks a lot.
>> Santiago
>>
>> ----- Original Message ----- From: "Aaron Evans" <aa...@yahoo.ca>
>> To: <je...@jakarta.apache.org>
>> Sent: Friday, September 09, 2005 11:16 AM
>> Subject: Re: [J2] web.xml security constraints not respected
>>
>>
>>> Aaron Evans <aaronmevans <at> yahoo.ca> writes:
>>>
>>>>
>>>> I have added struts and JSF applications to my jetspeed2 portal.
>>>>
>>>> What I have found is that once a user authenticates through the portal,
>>>> then the request.getPrincipal() and request.isUserInRole() methods work
>>>> as expected within my applications.
>>>>
>>>> However, any security constraints specified in the application's
>>>> web.xml file
>>>> are *not* respected when the application is accessed through the
>>>> portal, but
>>>> they are when you access the application directly.
>>>>
>>>
>>> I have done further research and reading and I think my confusion was
>>> due
>>> to a lack of knowledge around the portlet specification. I will
>>> experiment
>>> with using the security-constraint and security-role elements in my
>>> portlet.xml.
>>>
>>>
>>>
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
>>> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>>>
>>
>>
>> ___________________________________________________________ 1GB
>> gratis, Antivirus y Antispam Correo Yahoo!, el mejor correo web del mundo
>> http://correo.yahoo.com.ar
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
>> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>>
>>
>
> __________________________________
> Take an action against poverty
> http://pr.mail.yahoo.co.jp/whiteband/
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>
___________________________________________________________
1GB gratis, Antivirus y Antispam
Correo Yahoo!, el mejor correo web del mundo
http://correo.yahoo.com.ar
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org
Re: Charset problem
Posted by Shinsuke SUGAYA <sh...@yahoo.co.jp>.
Santiago Urrizola wrote:
> Hi, i work with J2-M4 and have a problem (i think) with the charset. In
> many links on the left menu, i have something like this B?squeda
> Avanzada, i change the charset to ISO-8859-1 ) (in psml, and
> folder.metadata, and decorator.top) but the ú or ó or í dosnt appears, i
> change the charset in the media type too.
If you put these characters with UTF-8, I think it will be displayed.
Thanks,
shinsuke
> Thanks a lot.
> Santiago
>
> ----- Original Message ----- From: "Aaron Evans" <aa...@yahoo.ca>
> To: <je...@jakarta.apache.org>
> Sent: Friday, September 09, 2005 11:16 AM
> Subject: Re: [J2] web.xml security constraints not respected
>
>
>> Aaron Evans <aaronmevans <at> yahoo.ca> writes:
>>
>>>
>>> I have added struts and JSF applications to my jetspeed2 portal.
>>>
>>> What I have found is that once a user authenticates through the portal,
>>> then the request.getPrincipal() and request.isUserInRole() methods work
>>> as expected within my applications.
>>>
>>> However, any security constraints specified in the application's
>>> web.xml file
>>> are *not* respected when the application is accessed through the
>>> portal, but
>>> they are when you access the application directly.
>>>
>>
>> I have done further research and reading and I think my confusion was due
>> to a lack of knowledge around the portlet specification. I will
>> experiment
>> with using the security-constraint and security-role elements in my
>> portlet.xml.
>>
>>
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
>> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>>
>
>
>
>
>
>
> ___________________________________________________________ 1GB gratis,
> Antivirus y Antispam Correo Yahoo!, el mejor correo web del mundo
> http://correo.yahoo.com.ar
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>
>
__________________________________
Take an action against poverty
http://pr.mail.yahoo.co.jp/whiteband/
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org
Charset problem
Posted by Santiago Urrizola <ch...@yahoo.com.ar>.
Hi, i work with J2-M4 and have a problem (i think) with the charset. In many
links on the left menu, i have something like this B?squeda Avanzada, i
change the charset to ISO-8859-1 ) (in psml, and folder.metadata, and
decorator.top) but the ú or ó or í dosnt appears, i change the charset in
the media type too.
Thanks a lot.
Santiago
----- Original Message -----
From: "Aaron Evans" <aa...@yahoo.ca>
To: <je...@jakarta.apache.org>
Sent: Friday, September 09, 2005 11:16 AM
Subject: Re: [J2] web.xml security constraints not respected
> Aaron Evans <aaronmevans <at> yahoo.ca> writes:
>
>>
>> I have added struts and JSF applications to my jetspeed2 portal.
>>
>> What I have found is that once a user authenticates through the portal,
>> then the request.getPrincipal() and request.isUserInRole() methods work
>> as expected within my applications.
>>
>> However, any security constraints specified in the application's web.xml
>> file
>> are *not* respected when the application is accessed through the portal,
>> but
>> they are when you access the application directly.
>>
>
> I have done further research and reading and I think my confusion was due
> to a lack of knowledge around the portlet specification. I will
> experiment
> with using the security-constraint and security-role elements in my
> portlet.xml.
>
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>
___________________________________________________________
1GB gratis, Antivirus y Antispam
Correo Yahoo!, el mejor correo web del mundo
http://correo.yahoo.com.ar
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org
Re: [J2] web.xml security constraints not respected
Posted by Aaron Evans <aa...@yahoo.ca>.
Aaron Evans <aaronmevans <at> yahoo.ca> writes:
>
> I have added struts and JSF applications to my jetspeed2 portal.
>
> What I have found is that once a user authenticates through the portal,
> then the request.getPrincipal() and request.isUserInRole() methods work
> as expected within my applications.
>
> However, any security constraints specified in the application's web.xml file
> are *not* respected when the application is accessed through the portal, but
> they are when you access the application directly.
>
I have done further research and reading and I think my confusion was due
to a lack of knowledge around the portlet specification. I will experiment
with using the security-constraint and security-role elements in my
portlet.xml.
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org