You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-user@portals.apache.org by Michael McLawhorn <mi...@hotmail.com> on 2003/01/09 23:46:44 UTC
Security issues with Jetspeed 1.4b3
Hi,
Thanks for the feedback. I finally got 1.4b3 working by doing a fresh
install and rolling my content into it. It's not 100% yet, but I'm getting
close. However, my reason for making the upgrade was this:
We're trying to develop a jetspeed toolkit for internal use by serparate
development teams. However, right now any user can substitute someone
else's username in the url for any Jetspeed actions and have free run of
their portlets (assuming they are in the same group) reconfiguring them,
viewing their output, etc. I thought the allow-if-owner security tag would
fix this, but it doesn't seem to have done anything.
Does anyone know how I can get Jetspeed to refuse attempts by user X to
hit portlets defined in user Y's default.psml when they are in the same
group? Thank you.
Mike McLawhorn
_________________________________________________________________
MSN 8: advanced junk mail protection and 2 months FREE*.
http://join.msn.com/?page=features/junkmail
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Security issues with Jetspeed 1.4b3
Posted by Paul Spencer <pa...@mindspring.com>.
Michael,
Assuming you are using the registry based security, then make sure the
security-ref associated with the <portlet> or <entry> include
<allow-if-owner> and does not allow access to all users.
From security.xreg:
<security-entry name="owner-only">
<meta-info>
<title>Owner-only</title>
<description>Full access to the owner.</description>
</meta-info>
<access action="*">
<allow-if-owner/>
</access>
</security-entry>
From WEB-INF/psml/user/turbine/html/default.psml:
<portlets id="01">
<security-ref parent="owner-only"/>
<metainfo>
<title>Default Jetspeed page</title>
</metainfo>
<layout position="-1" size="-1"/>
<control name="TabControl"/>
<controller name="TabController"/>
<portlets id="02">
<security-ref parent="owner-only"/>
<metainfo>
<title>Home</title>
</metainfo>
....
</portlet>
....
</portlet>
Paul Spencer
Michael McLawhorn wrote:
> Hi,
>
> Thanks for the feedback. I finally got 1.4b3 working by doing a
> fresh install and rolling my content into it. It's not 100% yet, but
> I'm getting close. However, my reason for making the upgrade was this:
>
> We're trying to develop a jetspeed toolkit for internal use by
> serparate development teams. However, right now any user can
> substitute someone else's username in the url for any Jetspeed actions
> and have free run of their portlets (assuming they are in the same
> group) reconfiguring them, viewing their output, etc. I thought the
> allow-if-owner security tag would fix this, but it doesn't seem to
> have done anything.
>
> Does anyone know how I can get Jetspeed to refuse attempts by user X
> to hit portlets defined in user Y's default.psml when they are in the
> same group? Thank you.
>
> Mike McLawhorn
>
>
>
>
>
> _________________________________________________________________
> MSN 8: advanced junk mail protection and 2 months FREE*.
> http://join.msn.com/?page=features/junkmail
>
>
> --
> To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> For additional commands, e-mail:
> <ma...@jakarta.apache.org>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Security issues with Jetspeed 1.4b3
Posted by David Sean Taylor <da...@bluesunrise.com>.
On Thursday, January 9, 2003, at 02:46 PM, Michael McLawhorn wrote:
> Hi,
>
> Thanks for the feedback. I finally got 1.4b3 working by doing a
> fresh install and rolling my content into it. It's not 100% yet, but
> I'm getting close. However, my reason for making the upgrade was > this:
>
> We're trying to develop a jetspeed toolkit for internal use by
> serparate development teams. However, right now any user can
> substitute someone else's username in the url for any Jetspeed actions
> and have free run of their portlets (assuming they are in the same
> group) reconfiguring them, viewing their output, etc. I thought the
> allow-if-owner security tag would fix this, but it doesn't seem to
> have done anything.
>
> Does anyone know how I can get Jetspeed to refuse attempts by user X
> to hit portlets defined in user Y's default.psml when they are in the
> same group? Thank you.
>
> Mike McLawhorn
>
I thought that the <allow-if-owner> would handle this too.
Could you please log a detailed bug on this one:
http://www.bluesunrise.com/jetspeed-docs/
JetspeedTutorial.htm#_Toc26987081
Thanks,
David
--
David Sean Taylor
Bluesunrise Software
david@bluesunrise.com
+01 707 773-4646
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>