2 Replies Latest reply on Sep 1, 2006 6:41 PM by prijken

    problem configuring portal security

    prijken
    prijken Sep 1, 2006 8:11 AM

      I am trying to configure the security for the portal pages.
      In my *-object.xml file I have:

      <?xml version="1.0" encoding="UTF-8"?>
<deployments>
 <deployment>
 <if-exists>overwrite</if-exists>
 <parent-ref>LogicaCMG</parent-ref>
 <properties/>
 <page>
 <page-name>[01]Home</page-name>
 <properties>
 <property>
 <name>order</name>
 <value>01</value>
 </property>
 <property>
 <name>icon</name>
 <value>/images/navigation/Home.png</value>
 </property>
 </properties>
 <window>
 <window-name>Navigation</window-name>
 <instance-ref>SmartNavigationInstance</instance-ref>
 <region>navigation</region>
 <height>0</height>
 <properties>
 <property><name>theme.windowRendererId</name><value>emptyRenderer</value></property>
 <property><name>theme.decorationRendererId</name><value>emptyRenderer</value></property>
 <property><name>theme.portletRendererId</name><value>emptyRenderer</value></property>
 </properties>
 </window>
 <window>
 <window-name>[01]Welcome</window-name>
 <instance-ref>WelcomeInstance</instance-ref>
 <region>center</region>
 <height>0</height>
 </window>
 <security-constraint>
 <policy-permission>
 <role-name>User</role-name>
 <action-name>personaliserecursive</action-name>
 </policy-permission>
 </security-constraint>
 </page>
 </deployment>
</deployments>


      but the <securtity-constraint>...</security-constraint> does not seem to have an effect when I try to access the page.
      I captured the following trace: 
      2006-09-01 13:57:34,433 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request GET /portal/portal/LogicaCMG
2006-09-01 13:57:34,433 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Authenticated]' against GET /portal/LogicaCMG --> false
2006-09-01 13:57:34,433 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Secure]' against GET /portal/LogicaCMG --> false
2006-09-01 13:57:34,433 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Secure+Authenticated]' against GET /portal/LogicaCMG --> false
2006-09-01 13:57:34,433 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Authenticated]' against GET /portal/LogicaCMG --> false
2006-09-01 13:57:34,433 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Secure]' against GET /portal/LogicaCMG --> false
2006-09-01 13:57:34,433 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Secure+Authenticated]' against GET /portal/LogicaCMG --> false
2006-09-01 13:57:34,433 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Authenticated]' against GET /portal/LogicaCMG --> false
2006-09-01 13:57:34,433 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Secure]' against GET /portal/LogicaCMG --> false
2006-09-01 13:57:34,433 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Secure+Authenticated]' against GET /portal/LogicaCMG --> false
2006-09-01 13:57:34,433 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Authenticated]' against GET /portal/LogicaCMG --> false
2006-09-01 13:57:34,433 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Secure]' against GET /portal/LogicaCMG --> false
2006-09-01 13:57:34,433 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Secure+Authenticated]' against GET /portal/LogicaCMG --> false
2006-09-01 13:57:34,434 DEBUG [org.apache.catalina.realm.RealmBase] No applicable constraint located
2006-09-01 13:57:34,434 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Not subject to any constraint
2006-09-01 13:57:34,434 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] Begin invoke, callernull
2006-09-01 13:57:34,434 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
2006-09-01 13:57:34,434 TRACE [org.jboss.web.tomcat.security.RunAsListener] PortalServletWithPathMapping, runAs: null
2006-09-01 13:57:34,434 TRACE [org.jboss.web.tomcat.security.RunAsListener] PortalServletWithPathMapping, runAs: null
2006-09-01 13:57:34,434 TRACE [org.jboss.web.tomcat.security.SecurityFlushSessionListener] Session Created with id=252BF826603B10B0714B81967032E580
2006-09-01 13:57:34,464 DEBUG [org.jboss.portal.theme.impl.LayoutServiceImpl] get logicacmg...
2006-09-01 13:57:34,464 DEBUG [org.jboss.portal.theme.impl.LayoutServiceImpl] found logicacmg
2006-09-01 13:57:34,465 TRACE [org.jboss.portal.security.impl.jacc.JACCPortalAuthorizationManager] hasPermission:uri=LogicaCMG.[01]Home::action=portalobject::type=portalobject
2006-09-01 13:57:34,465 TRACE [org.jboss.portal.security.impl.jacc.JACCPortalAuthorizationManager] hasPermission:uri=LogicaCMG.[01]Home::action=portalobject::type=portalobject
2006-09-01 13:57:34,465 TRACE [org.jboss.security.SecurityAssociation] getSubject, sc=null
2006-09-01 13:57:34,466 TRACE [org.jboss.security.jacc.DelegatingPolicy] implies, domain=ProtectionDomain null
 null
 <no principals>
 java.security.Permissions@113230c (
 (javax.security.jacc.WebUserDataPermission /:/auth/*:/authsec/*:/sec/*)
 (javax.security.jacc.WebUserDataPermission /auth/*:/authsec/*)
 (javax.security.jacc.WebUserDataPermission /authsec/* :CONFIDENTIAL)
 (javax.security.jacc.WebUserDataPermission /sec/*)
 (javax.security.jacc.WebResourcePermission /:/auth/*:/authsec/*:/sec/*)
 (javax.security.jacc.WebResourcePermission /auth/*:/authsec/*)
 (javax.security.jacc.WebResourcePermission /authsec/*)
 (javax.security.jacc.WebResourcePermission /sec/*)
 (javax.security.jacc.WebRoleRefPermission PortalServletWithDefaultServletMapping User)
 (javax.security.jacc.WebRoleRefPermission PortalServletWithDefaultServletMapping Authenticated)
 (javax.security.jacc.WebRoleRefPermission jsp User)
 (javax.security.jacc.WebRoleRefPermission PortalServletWithPathMapping User)
 (javax.security.jacc.WebRoleRefPermission User)
 (javax.security.jacc.WebRoleRefPermission PortalServletWithPathMapping Authenticated)
)

, permission=(org.jboss.portal.core.model.portal.PortalObjectPermission portalobjectpermission create,personalizerecursive)
2006-09-01 13:57:34,466 TRACE [org.jboss.security.SecurityAssociation] getSubject, sc=null
2006-09-01 13:57:34,466 TRACE [org.jboss.security.jacc.DelegatingPolicy] implies javax.security.auth.Subject.container: null
2006-09-01 13:57:34,474 TRACE [org.jboss.security.jacc.ContextPolicy] Allowed: Matched unchecked set, permission=(org.jboss.portal.core.model.portal.PortalObjectPermission portalobjectpermission create,personalizerecursive)
2006-09-01 13:57:34,474 TRACE [org.jboss.security.jacc.DelegatingPolicy] implied=true
2006-09-01 13:57:34,474 TRACE [org.jboss.portal.security.impl.jacc.JACCPortalAuthorizationManager] hasPermission:result=true
2006-09-01 13:57:34,474 TRACE [org.jboss.portal.security.impl.jacc.JACCPortalAuthorizationManager] hasPermission:result=true
2006-09-01 13:57:34,474 TRACE [org.jboss.portal.security.impl.jacc.JACCPortalAuthorizationManager] hasPermission:uri=LogicaCMG.[01]Home::action=portalobject::type=portalobject
2006-09-01 13:57:34,474 TRACE [org.jboss.portal.security.impl.jacc.JACCPortalAuthorizationManager] hasPermission:uri=LogicaCMG.[01]Home::action=portalobject::type=portalobject
2006-09-01 13:57:34,474 TRACE [org.jboss.security.SecurityAssociation] getSubject, sc=null
2006-09-01 13:57:34,474 TRACE [org.jboss.security.jacc.DelegatingPolicy] implies, domain=ProtectionDomain null
 null
 <no principals>
 java.security.Permissions@2cca38 (
 (javax.security.jacc.WebUserDataPermission /:/auth/*:/authsec/*:/sec/*)
 (javax.security.jacc.WebUserDataPermission /auth/*:/authsec/*)
 (javax.security.jacc.WebUserDataPermission /authsec/* :CONFIDENTIAL)
 (javax.security.jacc.WebUserDataPermission /sec/*)
 (javax.security.jacc.WebResourcePermission /:/auth/*:/authsec/*:/sec/*)
 (javax.security.jacc.WebResourcePermission /auth/*:/authsec/*)
 (javax.security.jacc.WebResourcePermission /authsec/*)
 (javax.security.jacc.WebResourcePermission /sec/*)
 (javax.security.jacc.WebRoleRefPermission PortalServletWithDefaultServletMapping User)
 (javax.security.jacc.WebRoleRefPermission PortalServletWithDefaultServletMapping Authenticated)
 (javax.security.jacc.WebRoleRefPermission jsp User)
 (javax.security.jacc.WebRoleRefPermission PortalServletWithPathMapping User)
 (javax.security.jacc.WebRoleRefPermission User)
 (javax.security.jacc.WebRoleRefPermission PortalServletWithPathMapping Authenticated)
)

, permission=(org.jboss.portal.core.model.portal.PortalObjectPermission portalobjectpermission personalizerecursive)
2006-09-01 13:57:34,474 TRACE [org.jboss.security.SecurityAssociation] getSubject, sc=null
2006-09-01 13:57:34,474 TRACE [org.jboss.security.jacc.DelegatingPolicy] implies javax.security.auth.Subject.container: null


      Any help with what I am doing wrong/missing is greatly appreciated.

      pieter

      • 1897 Views
      • Tags:
        • 1. Re: problem configuring portal security
          peterj
          peterj Sep 1, 2006 11:52 AM (in response to prijken)

          I think you should have:

          <action-name>personalizerecursive</action-name>

          Note the 'z' (not an 's')!

            • Actions
          • 2. Re: problem configuring portal security
            prijken
            prijken Sep 1, 2006 6:41 PM (in response to prijken)

            Thanks for your reply.
            I changed the 's' into a 'z' but that does not make any difference. In the trace/log files I do not see traces about the security constraints.

            I looked at the PortalDS and noticed that in the table jbp_object_node_sec the action is ok, but the role-name is equal to '__unchecked__'. It seems that the actions-name is updated correctly; but the role-name does not get stored in the database.

            Do I need to inject additional interceptors or start specific mbean services to configure portlet security?

            regards, pieter

              • Actions