You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-user@portals.apache.org by Frank Otto <ot...@delta-barth.de> on 2012/07/11 11:56:52 UTC
Page security on ui pipeline
Hi,
is it possible, that the security constraint wasn't checked in the ui
pipeline on added portlets?
I have defined a security contraint in page.security file:
<security-constraints-def name="MY_CONSTRAINT">
<security-constraint>
<roles>MY_ROLE</roles>
<permissions>view,edit</permissions>
</security-constraint>
</security-constraints-def>
The jetspeed-portlet.xml looks like this:
<portlet>
<portlet-name>MyPortlet</portlet-name>
<js:security-constraint-ref>MY_CONSTRAINT</js:security-constraint-ref>
</portlet>
If I remove the Role from my user, the portlet will not be shown in the
toolbox, but it's always accessable on the already added portlet.
In Jetspeed 2.2.0 was checked this and the message "you have no
permission for the portlet" was shown in the portlet.
kind regards,
Frank
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org
Re: Page security on ui pipeline
Posted by Woonsan Ko <wo...@yahoo.com>.
I think so, too. It must be better to allow it configured in portlet-application level or in global configuration (jet speed.properties) as defaults as well.
Woonsan
----- Original Message -----
> From: David S Taylor <da...@gmail.com>
> To: Jetspeed Users List <je...@portals.apache.org>
> Cc:
> Sent: Monday, July 16, 2012 8:44 AM
> Subject: Re: Page security on ui pipeline
>
>G reat. It seems like a pain to have to set this for each and every portlet.
> Seems more like a portal general feature. Guess I just don't follow the
> intention of the developer
>
> On Jul 16, 2012, at 1:33 AM, Frank Otto <ot...@delta-barth.de> wrote:
>
>> It works. Thanks!
>>
>> Am 16.07.2012 05:14, schrieb David Sean Taylor:
>>> I was going to say "nothing changed". But I reviewed the
> 2.2.2 release notes and found this improvement:
>>>
>>> https://issues.apache.org/jira/browse/JS2-1262
>>>
>>> You can try this (from the JIRA issue):
>>>
>>> "By adding a<js:metadata
> name="render-time.security-constraints">true</js:metadata>
> tag to a portlet configuration in jetspeed-portlet.xml, the security constraints
> for that portlet will be enforced at render time."
>>>
>>>
>>> On Jul 11, 2012, at 2:56 AM, Frank Otto wrote:
>>>
>>>> Hi,
>>>>
>>>> is it possible, that the security constraint wasn't checked in
> the ui pipeline on added portlets?
>>>>
>>>>
>>>> I have defined a security contraint in page.security file:
>>>>
>>>> <security-constraints-def name="MY_CONSTRAINT">
>>>> <security-constraint>
>>>> <roles>MY_ROLE</roles>
>>>> <permissions>view,edit</permissions>
>>>> </security-constraint>
>>>> </security-constraints-def>
>>>>
>>>> The jetspeed-portlet.xml looks like this:
>>>>
>>>> <portlet>
>>>> <portlet-name>MyPortlet</portlet-name>
>>>>
> <js:security-constraint-ref>MY_CONSTRAINT</js:security-constraint-ref>
>>>> </portlet>
>>>>
>>>> If I remove the Role from my user, the portlet will not be shown in
> the toolbox, but it's always accessable on the already added portlet.
>>>>
>>>> In Jetspeed 2.2.0 was checked this and the message "you have
> no permission for the portlet" was shown in the portlet.
>>>>
>>>>
>>>> kind regards,
>>>>
>>>> Frank
>>>>
>>>>
>>>>
> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail:
> jetspeed-user-unsubscribe@portals.apache.org
>>>> For additional commands, e-mail:
> jetspeed-user-help@portals.apache.org
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
>>> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
>> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org
Re: Page security on ui pipeline
Posted by David S Taylor <da...@gmail.com>.
Great. It seems like a pain to have to set this for each and every portlet. Seems more like a portal general feature. Guess I just don't follow the intention of the developer
On Jul 16, 2012, at 1:33 AM, Frank Otto <ot...@delta-barth.de> wrote:
> It works. Thanks!
>
> Am 16.07.2012 05:14, schrieb David Sean Taylor:
>> I was going to say "nothing changed". But I reviewed the 2.2.2 release notes and found this improvement:
>>
>> https://issues.apache.org/jira/browse/JS2-1262
>>
>> You can try this (from the JIRA issue):
>>
>> "By adding a<js:metadata name="render-time.security-constraints">true</js:metadata> tag to a portlet configuration in jetspeed-portlet.xml, the security constraints for that portlet will be enforced at render time."
>>
>>
>> On Jul 11, 2012, at 2:56 AM, Frank Otto wrote:
>>
>>> Hi,
>>>
>>> is it possible, that the security constraint wasn't checked in the ui pipeline on added portlets?
>>>
>>>
>>> I have defined a security contraint in page.security file:
>>>
>>> <security-constraints-def name="MY_CONSTRAINT">
>>> <security-constraint>
>>> <roles>MY_ROLE</roles>
>>> <permissions>view,edit</permissions>
>>> </security-constraint>
>>> </security-constraints-def>
>>>
>>> The jetspeed-portlet.xml looks like this:
>>>
>>> <portlet>
>>> <portlet-name>MyPortlet</portlet-name>
>>> <js:security-constraint-ref>MY_CONSTRAINT</js:security-constraint-ref>
>>> </portlet>
>>>
>>> If I remove the Role from my user, the portlet will not be shown in the toolbox, but it's always accessable on the already added portlet.
>>>
>>> In Jetspeed 2.2.0 was checked this and the message "you have no permission for the portlet" was shown in the portlet.
>>>
>>>
>>> kind regards,
>>>
>>> Frank
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
>>> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
>> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org
Re: Page security on ui pipeline
Posted by Frank Otto <ot...@delta-barth.de>.
It works. Thanks!
Am 16.07.2012 05:14, schrieb David Sean Taylor:
> I was going to say "nothing changed". But I reviewed the 2.2.2 release notes and found this improvement:
>
> https://issues.apache.org/jira/browse/JS2-1262
>
> You can try this (from the JIRA issue):
>
> "By adding a<js:metadata name="render-time.security-constraints">true</js:metadata> tag to a portlet configuration in jetspeed-portlet.xml, the security constraints for that portlet will be enforced at render time."
>
>
> On Jul 11, 2012, at 2:56 AM, Frank Otto wrote:
>
>> Hi,
>>
>> is it possible, that the security constraint wasn't checked in the ui pipeline on added portlets?
>>
>>
>> I have defined a security contraint in page.security file:
>>
>> <security-constraints-def name="MY_CONSTRAINT">
>> <security-constraint>
>> <roles>MY_ROLE</roles>
>> <permissions>view,edit</permissions>
>> </security-constraint>
>> </security-constraints-def>
>>
>> The jetspeed-portlet.xml looks like this:
>>
>> <portlet>
>> <portlet-name>MyPortlet</portlet-name>
>> <js:security-constraint-ref>MY_CONSTRAINT</js:security-constraint-ref>
>> </portlet>
>>
>> If I remove the Role from my user, the portlet will not be shown in the toolbox, but it's always accessable on the already added portlet.
>>
>> In Jetspeed 2.2.0 was checked this and the message "you have no permission for the portlet" was shown in the portlet.
>>
>>
>> kind regards,
>>
>> Frank
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
>> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org
Re: Page security on ui pipeline
Posted by David Sean Taylor <da...@gmail.com>.
I was going to say "nothing changed". But I reviewed the 2.2.2 release notes and found this improvement:
https://issues.apache.org/jira/browse/JS2-1262
You can try this (from the JIRA issue):
"By adding a <js:metadata name="render-time.security-constraints">true</js:metadata> tag to a portlet configuration in jetspeed-portlet.xml, the security constraints for that portlet will be enforced at render time."
On Jul 11, 2012, at 2:56 AM, Frank Otto wrote:
> Hi,
>
> is it possible, that the security constraint wasn't checked in the ui pipeline on added portlets?
>
>
> I have defined a security contraint in page.security file:
>
> <security-constraints-def name="MY_CONSTRAINT">
> <security-constraint>
> <roles>MY_ROLE</roles>
> <permissions>view,edit</permissions>
> </security-constraint>
> </security-constraints-def>
>
> The jetspeed-portlet.xml looks like this:
>
> <portlet>
> <portlet-name>MyPortlet</portlet-name>
> <js:security-constraint-ref>MY_CONSTRAINT</js:security-constraint-ref>
> </portlet>
>
> If I remove the Role from my user, the portlet will not be shown in the toolbox, but it's always accessable on the already added portlet.
>
> In Jetspeed 2.2.0 was checked this and the message "you have no permission for the portlet" was shown in the portlet.
>
>
> kind regards,
>
> Frank
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org