13 Replies Latest reply on Jun 19, 2012 6:26 AM by anishnagaraj

    Securing Portlet Modes

    keletappi

      Is it currenlty possible to secure portlet modes. I have tried to do some research here but I can only make page or portlet to appear/disappear from certain users. I just want edit mode disabled from all but spesified roles.

        • 1. Re: Securing Portlet Modes
          noicangi

          please post how to make that and example code please...for the ones who are still learning


          thanks in advance

          • 2. Re: Securing Portlet Modes
            keletappi

            In MyPortal.war (that is war contaning the portal deployment) I have file myportal-object.xml that defines the portlets, page and window structures.

            If i want some page to be visible only for admins i simpy define it like this:

            ...
            <page>
             <page-name>AdminsOnly</page-name>
             <properties />
            
             <window>
             <window-name>Navigation</window-name>
             <instance-ref>NavigationPortletInstance</instance-ref>
             <region>navigation</region>
             <height>0</height>
             <properties>
             <property>
             <name>theme.windowRendererId</name>
             <value>emptyRenderer</value>
             </property>
             <property>
             <name>theme.decorationRendererId</name>
             <value>emptyRenderer</value>
             </property>
             <property>
             <name>theme.portletRendererId</name>
             <value>emptyRenderer</value>
             </property>
             </properties>
             </window>
            
             <window>
             <window-name>UserPortletWindow</window-name>
             <instance-ref>UserPortletInstance</instance-ref>
             <region>left</region>
             <height>0</height>
             </window>
            
             <security-constraint>
             <policy-permission>
             <role-name>Admin</role-name>
             <action-name>view</action-name>
             </policy-permission>
             </security-constraint>
            </page>
            ...
            


            BTW. I have just playing with this portal implementation for 3 days now. After using jetspeed2 and other portals this system feels nice and flexible. Much easier to deploy portal and edit layouts and themes. However there are some severe limitations that prevent me to use it in production enviroment - like i really need to know how to limit access to portlet modes per role. Hopefully everything will be fixed in time.

            I have decided to keep portal deployment in own war, so that I don't pollute my portlet war's with portal implementation spesific stuff .

            • 3. Re: Securing Portlet Modes

               

              "keletappi" wrote:

              BTW. I have just playing with this portal implementation for 3 days now. After using jetspeed2 and other portals this system feels nice and flexible. Much easier to deploy portal and edit layouts and themes.


              Nice to see someone appreciates this ;)

              "keletappi" wrote:

              However there are some severe limitations that prevent me to use it in production enviroment - like i really need to know how to limit access to portlet modes per role. Hopefully everything will be fixed in time.


              This was in the original design, but was dropped early on, to keep the security impl in 2.2 simple. I agree with you that we need such a feature.

              Please add a JIRA task for it, and link to it from this thread.

              • 4. Re: Securing Portlet Modes
                keletappi
                • 5. Re: Securing Portlet Modes

                  Hi !!

                  I speak on this topic to know if a solution have been implemented on JBoss portal 2.4 to secure a portlet mode ?

                  This topic is old, so, I think yes, but, how can I do ? Thx

                  • 6. Re: Securing Portlet Modes
                    antoine_h

                    yes, interesting feature : mode depending on roles.
                    but for what I know it is not in the JSR-168
                    and may be long before you get it in specific vendor feature in jboss portal. (they go quick ! but you seem to need it now...)

                    to do that in the mean time (1) :
                    - set the window security to all user
                    - in the portlet rendering (for the decoration and put the mode icons) : rewrite one of the rendering class, configure it into the layout, configure the window so it use this rendering
                    - in this class, make the "if user ok", then show the icon of the mode, if not don't show it.

                    the portlet rendering is the more complicated thing :
                    - not sure you will have access to what user is calling this window rendering... so look how it works, and how you can get the user Principal, or RemoteUser things from there.

                    (2) other way, for the portlet decoration rendering
                    - in the do view, if the mode and user policy say "no edit mode", add a special CSS stylesheet in the header of the page. (specific css for this portlet).
                    - in the css, set the html tag of the edit mode to "not visible" (or no image...)
                    - you may play with the definition of css style like #MyPortletContainer #TheEditModeIcon. This to make sure only this portlet window will disable the edit icon
                    - even if you can't have the (1) solution, you may have to rewrite a rendering class, to adjust the class and id of html tags, so it fit your needs.

                    well, that's for the rendering

                    for the security : in the do view, check the user and mode policy, and if it is a forbidden mode, show nothing in the view.
                    because someone can ask the edit mode with playing with the url directly, (without clicking on the icon).

                    it is "not quick and dirty"... but you may have what you need, before it is implemented in jboss portal.

                    also think of the cache stuff : if not logged, the user get the window with no edit mode. then he log as admin : the cached window will show without the icon... not good for the admin.
                    I am quite shure the cache process does not check this kind of situation.
                    to invalidate the cache of all portlets when logged, see some previous posts...
                    or put this portlet with no cache, if you can afford it with cpu.

                    hope that helps... and there are no other trouble in the way that I did not see...

                    • 7. Re: Securing Portlet Modes
                      timdp

                       

                      "Antoine_h" wrote:
                      yes, interesting feature : mode depending on roles.
                      but for what I know it is not in the JSR-168
                      and may be long before you get it in specific vendor feature in jboss portal. (they go quick ! but you seem to need it now...)


                      <snipped from JSR-168 Specification - Under Portlet Modes>

                      The availability of the portlet modes, for a portlet, may be restricted to specific user roles by the portal. For example, anonymous users could be allowed to use the VIEW and HELP portlet modes but only authenticated users could use the EDIT portlet mode.



                      • 8. Re: Securing Portlet Modes

                         

                        The availability of the portlet modes, for a portlet, may be restricted to specific user roles by the portal. For example, anonymous users could be allowed to use the VIEW and HELP portlet modes but only authenticated users could use the EDIT portlet mode.


                        It's what I want !!! But how can I do that ???

                        Thx Antoine_h, but your solution isn't simple and I don't know if I can modifie my source (doView function). And the is that we can access the mode directly in the URL... I've already thought to mofie my doEdit function, but I want to know if there is a solution more simple !

                        • 9. Re: Securing Portlet Modes

                           

                          "Antoine_h" wrote:
                          yes, interesting feature : mode depending on roles.
                          but for what I know it is not in the JSR-168
                          and may be long before you get it in specific vendor feature in jboss portal. (they go quick ! but you seem to need it now...)

                          to do that in the mean time (1) :
                          - set the window security to all user
                          - in the portlet rendering (for the decoration and put the mode icons) : rewrite one of the rendering class, configure it into the layout, configure the window so it use this rendering
                          - in this class, make the "if user ok", then show the icon of the mode, if not don't show it.

                          the portlet rendering is the more complicated thing :
                          - not sure you will have access to what user is calling this window rendering... so look how it works, and how you can get the user Principal, or RemoteUser things from there.

                          (2) other way, for the portlet decoration rendering
                          - in the do view, if the mode and user policy say "no edit mode", add a special CSS stylesheet in the header of the page. (specific css for this portlet).
                          - in the css, set the html tag of the edit mode to "not visible" (or no image...)
                          - you may play with the definition of css style like #MyPortletContainer #TheEditModeIcon. This to make sure only this portlet window will disable the edit icon
                          - even if you can't have the (1) solution, you may have to rewrite a rendering class, to adjust the class and id of html tags, so it fit your needs.

                          well, that's for the rendering

                          for the security : in the do view, check the user and mode policy, and if it is a forbidden mode, show nothing in the view.
                          because someone can ask the edit mode with playing with the url directly, (without clicking on the icon).

                          it is "not quick and dirty"... but you may have what you need, before it is implemented in jboss portal.

                          also think of the cache stuff : if not logged, the user get the window with no edit mode. then he log as admin : the cached window will show without the icon... not good for the admin.
                          I am quite shure the cache process does not check this kind of situation.
                          to invalidate the cache of all portlets when logged, see some previous posts...
                          or put this portlet with no cache, if you can afford it with cpu.

                          hope that helps... and there are no other trouble in the way that I did not see...



                          How can I rewrite one of the rendering class ?? Example ?? Deployment ?? I need some help !!!

                          • 10. Re: Securing Portlet Modes
                            antoine_h

                            By rendering class, it means :
                            the class that is in charge of the rendering, like divRendering.

                            you may also look at the LayoutStragegy (I think this is the exact name of the class).
                            in 2.4.1 PS1 there is this added feature :

                            * [JBPORTAL-823] - Access to Portlet Action Request in LayoutStragegy
                            

                            see : http://sourceforge.net/project/shownotes.php?release_id=471406&group_id=22866
                            then, you have the portlet mode and the principal, to apply your policy.

                            You can find the descriptor about using thoses class there :
                            \deploy\jboss-portal.sar\portal-core.war\WEB-INF\layout


                            A good way to do all this about layout :
                            - copy all the layout things (see doc) in your own MyPortalLayout.war project
                            - modify things (overidding class, build your own class, modifying the descriptor for your own layout
                            - package the war and deploy it appart
                            - in your portal descriptor, set your portal to this layout
                            - this way, you have a war responsible for layout. And only this. Clean.

                            This way, it is your own layout, and you can work on it, and redeploy (hot deploy) many times... without modifying jboss portal things, without redeploying all the portal core.

                            after, you can comment things in the jboss portal delivered layout, to avoid to have them loaded in the system for nothing (as you don't use anymore these layout).

                            The minimum : modify the edit method.... write a message saying the user can't do that.
                            and yes, you will have to...
                            If you use some portlet written by other (forum ?, CMSPortlet....) then, it is open source : overide the class, or rewrite things...

                            it is difficult for me to tell more : I can tell "this here where to look at"... but I don't know by heart how to do it.

                            For tuning things, and makes several try and see : consider also sometime to empty the portal object tables in the database (server shutdowned before).
                            I have put a post with the sql script for this.
                            do that if things don't go the way you expect : sometime, it is good to restart the portal and make sure the database has not "old descriptions things in it".

                            Yes, it is not quick. But if you really want this feature.
                            and it is not big deal neither.

                            I have started with this too... good way to start and enter into customizing and build a portal.

                            as you want these kind of special feature : it is good to see how the layout works "inside". interesting things... and good to be aware of what is going on...

                            and again : not difficult... it just takes a little time.
                            I would say one or two days, may be four it you take time to wander around to understand all the layout process.


                            • 11. Re: Securing Portlet Modes

                              Thank you !!

                              I've made my own DecorationRenderer after seen that it's the class responsible to display the icon...

                              It work !! Thank you !!

                              But, I can't get the user to make a filter. I search to do that !!

                              • 12. Re: Securing Portlet Modes

                                I've made that you see :

                                "Antoine_h" wrote:

                                to do that in the mean time (1) :
                                - set the window security to all user
                                - in the portlet rendering (for the decoration and put the mode icons) : rewrite one of the rendering class, configure it into the layout, configure the window so it use this rendering
                                - in this class, make the "if user ok", then show the icon of the mode, if not don't show it.

                                the portlet rendering is the more complicated thing :
                                - not sure you will have access to what user is calling this window rendering... so look how it works, and how you can get the user Principal, or RemoteUser things from there.


                                The problem is that I can't have access to what user is calling this window rendering...
                                I need that ti enter in production... Without it, we can't use Jboss Portal !!!

                                • 13. Re: Securing Portlet Modes
                                  anishnagaraj

                                  Hi Jouni,

                                   

                                  I am new to JBoss EPP. Can you please provide an example on how the user login details can be accessed inside a specific portlet controller class.

                                  Please help me on this.

                                   

                                  Regards,

                                  Anish