Re: Securing Postings

[Dave <sn...@gmail.com>]

On Sun, Nov 29, 2009 at 2:11 PM, Luke Shannon <lu...@gmail.com> wrote:
> I am looking at Roller for a group to communicate online. I have seen
> it on Matt Raible's site and have briefly browsed the docs and am
> pretty impressed so far.
>
> However one requirement I am not sure of is I would like users to be
> able to ensure postings will only be viewable to other users of the
> system by default, with an option to make it viewable to anyone
> hitting the site. Is this out-of-the-box functionality? Is this a
> simple customization that could be made?

Protected blogs is not an out-of-the-box feature and probably not an
easy customization.

It might be possible via some LDAP and Spring Security magic that you
could create some blogs that are visible only to certain people.

- Dave

Re: Securing Postings

[Luke Shannon <lu...@gmail.com>]

Thanks for this. I am familiar with configuring Spring Security for
another application so this is great news for me.

I am looking forward to trying this out.

Luke

On Wed, Dec 2, 2009 at 6:31 AM, Konrad Hosemann <ko...@hosemann.name> wrote:
> Hi,
>
> Am 02.12.2009 um 02:59 schrieb Dave:
>> Protected blogs is not an out-of-the-box feature and probably not an
>> easy customization.
>>
>> It might be possible via some LDAP and Spring Security magic that you
>> could create some blogs that are visible only to certain people.
>
> Requiring authentication to access roller can realized by some changes to the Spring Security configuration, see the attached security.xml. The changes are basically:
>
> -- exclude some URL patterns from filtering, like styles and favicon. done in property filterInvocationDefinitionSource of bean filterChainProxy
>
> -- require at least editor role for all other URLs. done in property objectDefinitionSource of bean filterInvocationInterceptor. This implies that you grant the editor role to all users. Because I use the roller admin API to manage users, that is not problem for me. If you manage users using the roller webapp you might add some hack somewhere to grant that role automatically..
>
> if you want to exclude some blog from requiring a successful login, you could add a rule to the filterInvocationInterceptor, e.g.
> /demo/**=ROLE_ANONYMOUS,admin,editor
> would allow everybody to access the blog with the handle 'demo'
>
> Of course this is a static definition and only works on blogs as a whole, not single postings. But it could be a starting point.
>
> This works for 4.0.1, I have not yet tried 5.0
>
> best regards,
> konrad
>

Re: Securing Postings

[Konrad Hosemann <ko...@hosemann.name>]

Hi,

Am 02.12.2009 um 02:59 schrieb Dave:
> Protected blogs is not an out-of-the-box feature and probably not an
> easy customization.
> 
> It might be possible via some LDAP and Spring Security magic that you
> could create some blogs that are visible only to certain people.

Requiring authentication to access roller can realized by some changes to the Spring Security configuration, see the attached security.xml. The changes are basically:

-- exclude some URL patterns from filtering, like styles and favicon. done in property filterInvocationDefinitionSource of bean filterChainProxy

-- require at least editor role for all other URLs. done in property objectDefinitionSource of bean filterInvocationInterceptor. This implies that you grant the editor role to all users. Because I use the roller admin API to manage users, that is not problem for me. If you manage users using the roller webapp you might add some hack somewhere to grant that role automatically..

if you want to exclude some blog from requiring a successful login, you could add a rule to the filterInvocationInterceptor, e.g. 
/demo/**=ROLE_ANONYMOUS,admin,editor
would allow everybody to access the blog with the handle 'demo'

Of course this is a static definition and only works on blogs as a whole, not single postings. But it could be a starting point. 

This works for 4.0.1, I have not yet tried 5.0

best regards,
konrad