6 Replies Latest reply on Jul 25, 2006 1:31 AM by bhupeshs

Unable to add security constraint to portlets

bhupeshs Jul 21, 2006 6:09 AM

Hi,

I am using jboss portal 2.4.0-Beta1 with Jboss4.0.4GA and MySql5.0

I am trying to add security-constraint to a portlet, but it is not getting reflected. The security-constrating to a page, however is working fine.

I tried adding security-contraint to a Window, PortletInstance and a Portlet but none of them is working.

for Portlet window, I tried something like this in myPortal-object.xml file and deployed the war, but everyone is able to access the portlet.

 <deployment>
 <parent-ref>default.Dashboard2</parent-ref>
 <if-exists>overwrite</if-exists>
 <window>
 <window-name>ScheduledInterviewsWindow2</window-name>
 <instance-ref>KNXScheduledInterviewsInstance2</instance-ref>
 <default>true</default>
 <region>center</region>
 <height>0</height>
 <security-constraint>
 <policy-permission>
 <role-name>Admin</role-name>
 <action-name>view</action-name>
 </policy-permission>
 </security-constraint>
 </window>
 </deployment>

I even tried it for the portlet, by adding the security-constraint in jboss-portlet.xml file

 <portlet>
 <portlet-name>ScheduledInterviewsPortlet2</portlet-name>
 <security></security>
 <security-constraint>
 <policy-permission>
 <role-name>Admin</role-name>
 <action-name>view</action-name>
 </policy-permission>
 </security-constraint>
 </portlet>

Even the security for portlet-instance is also not working.

In myPortal-objext.xml

 <deployment>
 <if-exists>overwrite</if-exists>
 <instance>
 <instance-name>
 KNXScheduledInterviewsInstance2
 </instance-name>
 <component-ref>
 KenexaDashboard2.ScheduledInterviewsPortlet2
 </component-ref>
 <security-constraint>
 <policy-permission>
 <role-name>Admin</role-name>
 <action-name>view</action-name>
 </policy-permission>
 </security-constraint>
 </instance>
 </deployment>

In Portlet-Instances.xml

 <instance>
 <instance-id>KNXScheduledInterviewsInstance2</instance-id>
 <portlet-ref>ScheduledInterviewsPortlet2</portlet-ref>
 <security-constraint>
 <policy-permission>
 <role-name>Admin</role-name>
 <action-name>view</action-name>
 </policy-permission>
 </security-constraint>
 </instance>

I even changed the window_access_denied propery in cong/config.xml from show to hide

<entry key="core.render.window_access_denied">hide</entry>

Am I missing anything else? I even tried to do it from the management console but that didn't work either.

Any help would be greatly appreciated.

Thanks & Regards,
Bhupesh.

1. Re: Unable to add security constraint to portlets

julien1 Jul 21, 2006 6:41 AM (in response to bhupeshs)

for portal objects, check that a parent in the hierarchy does not have view recursive permission.

what is the version you are using ?
Actions
2. Re: Unable to add security constraint to portlets

julien1 Jul 21, 2006 6:41 AM (in response to bhupeshs)

btw use the management portlet for instances and portal objects. there is a security tab that shows those.
Actions
3. Re: Unable to add security constraint to portlets

bhupeshs Jul 21, 2006 7:55 AM (in response to bhupeshs)

Hi Julian,

Thanks a lot for the quick reply. But I still have issues securing a portlet.

I am using Jboss-Portal-2.4.0Beta1 with Jboss 4.0.4GA and MySql 5.0

Let me briefly explain my requirements. The protal page contains 5 portlets. All users should be able to access the page and they are shown all portlets except one. The last portlet should be shown only to users with Admin role. So the user should see 4 portlets and Admin should see 5 portlets.

I have now changed the viewrecursive permission for default protal instance to view. so no node in the hierarchy now has viewrecursive permission.

As of now i am still trying to secure a portlet through descriptor files itself. The permissions are getting stored in the database correctly for portletwindow. I can see correct values in jbp_object_node_security and jbp_object_note_security tables. The portletWindow security tab also displays the role correctly. i.e. only the admin has view permission and others have no permission.

Everything looks OK, but when I access the page everyone is able to see all the portlets in the page.

There is one more problem with the security tab in management console. Once i select a value for a group, there is no way to unselect the value from the list box. I am able to change it to other value, but i cannot unselect it. For Example, the default unchecked role has view permission which i want to remove. I cannot do it from the management portlet.

I can send you a sample war file which shows this. Should I create a jira ticket for this???

Thanks and Regards,
Bhupesh
Actions
4. Re: Unable to add security constraint to portlets

roy.russo Jul 21, 2006 11:44 AM (in response to bhupeshs)

"bhupeshs" wrote:
There is one more problem with the security tab in management console. Once i select a value for a group, there is no way to unselect the value from the list box. I am able to change it to other value, but i cannot unselect it. For Example, the default unchecked role has view permission which i want to remove. I cannot do it from the management portlet.

CTRL+click the selected item, to unselect.

I'll look in to your other issues, shortly.
Actions
5. Re: Unable to add security constraint to portlets

roy.russo Jul 21, 2006 1:38 PM (in response to bhupeshs)

Ok. Try constraining the portlet at the instance level. We are no longer supporting window-level security contraints.
Actions
6. Re: Unable to add security constraint to portlets

bhupeshs Jul 25, 2006 1:31 AM (in response to bhupeshs)

I downloaded and started using JBoss-Portal 2.4.0-CR2 . I guess there are some changes to the security constraints. Even the documentation is better.

I was able to restrict the view access through management console. But I am still unable to restrict access through deployment descriptors. Are you still supporting security-constraints through deployment descriptors?
Actions

Go to original post