You are viewing a plain text version of this content. The canonical link for it is here.
Posted to general@portals.apache.org by ta...@apache.org on 2010/04/20 14:05:14 UTC
svn commit: r935887 - in
/portals/site/jetspeed/jetspeed-2.2/jetspeed-guide-deploy/src/site/xdoc:
guide-registry.xml guide-security-declarative-psml.xml
Author: taylor
Date: Tue Apr 20 12:05:14 2010
New Revision: 935887
URL: http://svn.apache.org/viewvc?rev=935887&view=rev
Log:
https://issues.apache.org/jira/browse/JS2-1103
Modified:
portals/site/jetspeed/jetspeed-2.2/jetspeed-guide-deploy/src/site/xdoc/guide-registry.xml
portals/site/jetspeed/jetspeed-2.2/jetspeed-guide-deploy/src/site/xdoc/guide-security-declarative-psml.xml
Modified: portals/site/jetspeed/jetspeed-2.2/jetspeed-guide-deploy/src/site/xdoc/guide-registry.xml
URL: http://svn.apache.org/viewvc/portals/site/jetspeed/jetspeed-2.2/jetspeed-guide-deploy/src/site/xdoc/guide-registry.xml?rev=935887&r1=935886&r2=935887&view=diff
==============================================================================
--- portals/site/jetspeed/jetspeed-2.2/jetspeed-guide-deploy/src/site/xdoc/guide-registry.xml (original)
+++ portals/site/jetspeed/jetspeed-2.2/jetspeed-guide-deploy/src/site/xdoc/guide-registry.xml Tue Apr 20 12:05:14 2010
@@ -82,27 +82,71 @@
For instance you may want to require the 'admin' role restricting edit mode on all portlets in this application. Or you may require the 'developer'
role to restrict users from viewing portlets in this application. Constraints secure access to portlets or applications.
</p>
- <p>Portlets can also be further defined in the <code>jetspeed-security.xml</code> file. The <code>portlet-name</code> tag allows us to map back
- to the main <code>portlet.xml</code> file, matching the portlet by name. Again, we have a js:security-constraint-ref tag. This time,
- we are assigning a security constraint to just one portlet. This constraint overrides the portlet application wide security
- constraint tag. We also have similar Dublin Core tags for extended metadata.
- </p>
-<source><![CDATA[
+<p>By default, render-time checking of these global security constraints is disabled. So for 'view', if someone with appropriate permissions has added a portlet to a page visible to a user, the user will be able to view (but only view) the portlet. This happens even if there is a global portlet-level constraint intended to prevent the user viewing all instances of the portlet.
+Access is therefore controlled by pages and fragments in the PSML, and by controls on the selection and adding of portlets.</p>
+
+<p>If render-time checking is enabled (default: false), a portlet which is not accessible to be viewed by the user, regardless of the current page or fragment, will not be rendered, and an "Access Denied" error message will be rendered instead.
+To enable this feature, change a Spring configuration setting
+in WEB-INF/assembly/aggregation.xml.
+Find the bean with id="org.apache.jetspeed.aggregator.PortletRenderer" and
+change the 5th constructor-arg element from false -> true
+(see also inline comment in the bean definition)</p>
+<source><![CDATA[
+<!-- Portlet Renderer -->
+<bean id="org.apache.jetspeed.aggregator.PortletRenderer"
+class="org.apache.jetspeed.aggregator.impl.PortletRendererImpl"
+init-method="start" destroy-method="stop">
+<meta key="j2:cat" value="default" />
+<constructor-arg>
+<ref bean="org.apache.pluto.PortletContainer" />
+</constructor-arg>
+<constructor-arg>
+<ref bean="org.apache.jetspeed.aggregator.WorkerMonitor" />
+</constructor-arg>
+<constructor-arg>
+<ref bean="PortalStatistics" />
+</constructor-arg>
+<constructor-arg>
+<ref bean="org.apache.jetspeed.aggregator.PortletTrackingManager" />
+</constructor-arg>
+<!-- flag indicating whether to check jetspeed-portlet.xml security
+constraints
+before rendering a portlet. If security check fails, do not display
+portlet content
+-->
+<constructor-arg type="boolean">
+<value>true</value>
+</constructor-arg>
+<constructor-arg>
+<ref bean="org.apache.jetspeed.security.SecurityAccessController" />
+</constructor-arg>
+<constructor-arg>
+<ref bean="portletContentCache" />
+</constructor-arg>
+</bean>
+]]></source>
+ <p>Portlets can also be further defined in the <code>jetspeed-security.xml</code> file. The <code>portlet-name</code> tag allows us to map back
+ to the main <code>portlet.xml</code> file, matching the portlet by name. Again, we have a js:security-constraint-ref tag. This time,
+ we are assigning a security constraint to just one portlet. This constraint overrides the portlet application wide security
+ constraint tag. We also have similar Dublin Core tags for extended metadata.
+ </p>
+<source><![CDATA[
<portlet>
<portlet-name>LoginPortlet</portlet-name>
- <js:security-constraint-ref>public-view</js:security-constraint-ref>
+ <js:security-constraint-ref>public-view</js:security-constraint-ref>
<dc:title>Login Portlet</dc:title>
<dc:creator>J2 Team</dc:creator>
</portlet>
-]]></source>
- <p>Another setting is a hint to the Jetspeed Customizer's Portlet Selector feature:</p>
-<source><![CDATA[
- <js:metadata name="selector.conditional.role">admin</js:metadata>
-]]></source>
+]]></source>
+ <p>Another setting is a hint to the Jetspeed Customizer's Portlet Selector feature:</p>
+<source><![CDATA[
+ <js:metadata name="selector.conditional.role">admin</js:metadata>
+]]></source>
<p>The js:metadata tag with the name attribute set to <code>selector.conditional.role</code> means that only users with the role named
<code>admin</code> will be able to see this portlet in the portlet selector. All other users will not see this portlet in the selector.
-By setting the conditional role to <code>*</code>, you are telling Jetspeed that this portlet should never appear in the
+By setting the conditional role to <code>*</code>, you are telling Jetspeed that this portlet should never appear in the
portlet selector.</p>
+
<p>There is a global setting in the <a href='jetspeed-properties.html'>jetspeed.properties</a> file allowing you to merge servlet
request parameters with portlet parameters. This is useful in Portlet 1.0 applications that need shared render parameters, or if you
need to communicate with your portlet via the URL in some rare cases. This global feature is also available on a per portlet basis
@@ -186,4 +230,4 @@ If your portlet requires a <a href='guid
</subsection>
</section>
</body>
-</document>
\ No newline at end of file
+</document>
Modified: portals/site/jetspeed/jetspeed-2.2/jetspeed-guide-deploy/src/site/xdoc/guide-security-declarative-psml.xml
URL: http://svn.apache.org/viewvc/portals/site/jetspeed/jetspeed-2.2/jetspeed-guide-deploy/src/site/xdoc/guide-security-declarative-psml.xml?rev=935887&r1=935886&r2=935887&view=diff
==============================================================================
--- portals/site/jetspeed/jetspeed-2.2/jetspeed-guide-deploy/src/site/xdoc/guide-security-declarative-psml.xml (original)
+++ portals/site/jetspeed/jetspeed-2.2/jetspeed-guide-deploy/src/site/xdoc/guide-security-declarative-psml.xml Tue Apr 20 12:05:14 2010
@@ -316,6 +316,13 @@ only the view permission is checked agai
are tested only against the containing page.
</p>
</section>
+<section name='Portlet Constraints'>
+<p>Globally, these are set for a portlet or its portlet application using the administration interface or in the applications's <b><i>jetspeed-portlet.xml</i></b>. See Portal Components - Registry.</p>
+<p>However, these global security constraints are not checked by default at render time for 'view', allowing 'view' if the user can see the portlet's containing page.</p>
+<p>Security therefore relies on constraining access to folders and pages, controlling who can add portlets and where, and constraining access to portlet instances on a page individually by their containing fragments.</p>
+
+<p>To enable render-time security constraint checking as an extra catch-all, see Portal Components - Registry.</p>
+</section>
<section name="Spring Configuration">
<p>
Declarative Security Constraints are enabled by default in the Spring configuration of the