When integrating the portal with an existing authentication facility, such as a diretcory, it can be useful to map admin privileges from the 'Admin' role in the portal to an existing role from the authentication facility.
In jboss-portal.sar/conf/data/default-object.xml, find the tag
<portal-name>admin</portal-name>
and under it, modify role-name
<security-constraint> <policy-permission> <action-name>viewrecursive</action-name> <role-name>YourNewAdminRole</role-name> </policy-permission> </security-constraint>
Alternatively, if you want to keep the current privileges for 'Admin', just add another policy-permission. This has the effect that the admin portal is accessible for YourNewAdminRole.
To get access to the WSRP admin portlet, edit portal-wsrp.sar/portal-wsrp-admin.war/WEB-INF/portlet-instances.xml and change the content of the role-name tag from Admin to YourNewAdminRole.
The same works for portal-admin.sar/portal-admin.war/WEB-INF/portlet-instances.xml, for allowing access to the management portlet. You also need to edit the PortletContentEditorInstance in jboss-portal.sar/portal-core.war/WEB-INF/portlet-instances.xml and switch the Admin role to YourNewAdminRole, so the list of portlet instances in the page layout pages are displayed.
To get access to the user and role portlets, in JBoss Portal prior to 2.6.2, add a role-link tag in jboss-portal.sar/portal-core.war/WEB-INF/portlet.xml,
<security-role-ref> <role-name>Admin</role-name> <role-link>YourNewAdminRole</role-link> </security-role-ref>
Do this for both User portlet and the Role management. It maps your YourNewAdminRole to the admin role in those management portlets. More information can be found in the portlet specification, PLT.20.3, Programmatic Security.
In JBoss Portal 2.6.2 and later, simply edit portal-identity.war/WEB-INF/portlet-instances.xml just like you did above for the management and wsrp portlets.
To get access to the cms admin portlet, change portal-cms.sar/META-INF/jboss-service.xml as follows: In the ACL Security Interceptor MBean, change the three instances of the role-name tag from 'Admin' to YourNewAdminRole.
Attention:
The following two bugs have been fixed in versions newer than the 2_6 branch on Nov. 28 2007 (i.e. 2.6.3 and newer). See here for an explanation and the two necessary config changes you have to make instead of the source code changes mentioned below.
There is a pending bug that prevents CMS from working if there doesn't exist a user called 'admin', for example if you use LDAP. It can be worked around by making a small change in the source. Details can be found here.
There is another pending bug that prevents access to the permission part of the CMS Admin portlet.
To see the effects of the above changes, you may need to stop the application server, delete the portal databases (per default these are the cms database and the hypersonic database in default/data/portal/). Be wary of settings you want to keep! Then restart the application server.
Comments