You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jetspeed-user@portals.apache.org by Michael McLawhorn <mi...@hotmail.com> on 2003/01/09 23:46:44 UTC

Security issues with Jetspeed 1.4b3

Hi,

   Thanks for the feedback.  I finally got 1.4b3 working by doing a fresh 
install and rolling my content into it.  It's not 100% yet, but I'm getting 
close.  However, my reason for making the upgrade was this:

We're trying to develop a jetspeed toolkit for internal use by serparate 
development teams.  However, right now any user can substitute someone 
else's username in the url for any Jetspeed actions and have free run of 
their portlets (assuming they are in the same group) reconfiguring them, 
viewing their output, etc.  I thought the allow-if-owner security tag would 
fix this, but it doesn't seem to have done anything.

   Does anyone know how I can get Jetspeed to refuse attempts by user X to 
hit portlets defined in user Y's default.psml when they are in the same 
group?  Thank you.

Mike McLawhorn





_________________________________________________________________
MSN 8: advanced junk mail protection and 2 months FREE*. 
http://join.msn.com/?page=features/junkmail


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Security issues with Jetspeed 1.4b3

Posted by Paul Spencer <pa...@mindspring.com>.

Michael,
Assuming you are using the registry based security, then make sure the 
security-ref associated with the <portlet> or <entry> include 
<allow-if-owner> and does not allow access to all users.

 From security.xreg:
    <security-entry name="owner-only">
        <meta-info>
            <title>Owner-only</title>
            <description>Full access to the owner.</description>
        </meta-info>
        <access action="*">
            <allow-if-owner/>
        </access>
    </security-entry>

 From WEB-INF/psml/user/turbine/html/default.psml:
<portlets id="01">
    <security-ref parent="owner-only"/>
    <metainfo>
        <title>Default Jetspeed page</title>
    </metainfo>
    <layout position="-1" size="-1"/>
    <control name="TabControl"/>
    <controller name="TabController"/>
    <portlets id="02">
        <security-ref parent="owner-only"/>
        <metainfo>
            <title>Home</title>
        </metainfo>
        ....
    </portlet>
     ....
</portlet>


Paul Spencer


Michael McLawhorn wrote:

> Hi,
>
>   Thanks for the feedback.  I finally got 1.4b3 working by doing a 
> fresh install and rolling my content into it.  It's not 100% yet, but 
> I'm getting close.  However, my reason for making the upgrade was this:
>
> We're trying to develop a jetspeed toolkit for internal use by 
> serparate development teams.  However, right now any user can 
> substitute someone else's username in the url for any Jetspeed actions 
> and have free run of their portlets (assuming they are in the same 
> group) reconfiguring them, viewing their output, etc.  I thought the 
> allow-if-owner security tag would fix this, but it doesn't seem to 
> have done anything.
>
>   Does anyone know how I can get Jetspeed to refuse attempts by user X 
> to hit portlets defined in user Y's default.psml when they are in the 
> same group?  Thank you.
>
> Mike McLawhorn
>
>
>
>
>
> _________________________________________________________________
> MSN 8: advanced junk mail protection and 2 months FREE*. 
> http://join.msn.com/?page=features/junkmail
>
>
> -- 
> To unsubscribe, e-mail:   
> <ma...@jakarta.apache.org>
> For additional commands, e-mail: 
> <ma...@jakarta.apache.org>
>
>




--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Security issues with Jetspeed 1.4b3

Posted by David Sean Taylor <da...@bluesunrise.com>.

On Thursday, January 9, 2003, at 02:46  PM, Michael McLawhorn wrote:

> Hi,
>
>   Thanks for the feedback.  I finally got 1.4b3 working by doing a  
> fresh install and rolling my content into it.  It's not 100% yet, but  
> I'm getting close.  However, my reason for making the upgrade was > this:
>
> We're trying to develop a jetspeed toolkit for internal use by  
> serparate development teams.  However, right now any user can  
> substitute someone else's username in the url for any Jetspeed actions  
> and have free run of their portlets (assuming they are in the same  
> group) reconfiguring them, viewing their output, etc.  I thought the  
> allow-if-owner security tag would fix this, but it doesn't seem to  
> have done anything.
>
>   Does anyone know how I can get Jetspeed to refuse attempts by user X  
> to hit portlets defined in user Y's default.psml when they are in the  
> same group?  Thank you.
>
> Mike McLawhorn
>
I thought that the <allow-if-owner> would handle this too.
Could you please log a detailed bug on this one:

http://www.bluesunrise.com/jetspeed-docs/ 
JetspeedTutorial.htm#_Toc26987081

Thanks,

David
--
David Sean Taylor
Bluesunrise Software
david@bluesunrise.com
+01 707 773-4646




--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>