1 2 Previous Next 26 Replies Latest reply on Apr 2, 2007 4:19 PM by peterj

Security constraints for portlets

mifa Sep 24, 2006 6:45 AM

Hi All,

I wish to make so that only the certain users or roles could see and have access to portlets.
For example for a role "roleA" are visible only portlet "Portlet1" and "Portlet2", and for a role "roleB" portlet "Portlet2", "Portlet3".
There it is possible to establish only four levels of security: view, viewrecursive, personalize and personalizerecursive.
But I cannot assign in a porltet management a security condition of portlets for role as "no view" or "no permission".
How it is possible to solve this problem?

Many thanks,
Michael

1. Re: Security constraints for portlets

franco12 Sep 25, 2006 7:48 AM (in response to mifa)

I got the same problem

ACL are working for 'pages' but not for 'windows'.

I'm also unable to find the link to create a user.

< I'm using JBoss Portal 2.4.0-GA (bundle with AS) on Windows >
Actions
2. Re: Security constraints for portlets

franco12 Sep 25, 2006 8:10 AM (in response to mifa)

I'm also unable to find the link to create a user.

sorry !
I found it :)

François
Actions
3. Re: Security constraints for portlets

julien1 Sep 25, 2006 11:23 AM (in response to mifa)

Yes ACL is not effective for windows. You should rather use ACL for instances.

We made that choice to keep security configuration not redundant.
Actions
4. Re: Security constraints for portlets

mifa Sep 25, 2006 5:22 PM (in response to mifa)

What is ACL?

If I have correctly understood, it can be made all my stuff by editing *-objects.xml only by hand.
Is it possible to solve it by program way ( for example to write administrative portlet)?
I.e. whether is in a jboss portal necessary API by means of which I can operate *-objects.xml (assign security constraints for portlets) in life?
Actions
5. Re: Security constraints for portlets

peterj Sep 25, 2006 6:30 PM (in response to mifa)
Did you want all four portlets on the same page or on different pages?

For different pages, set it up as follows:

Object RoleA RoleB Unchecked Page1 view -none- -none- Portlet1 -none- -none- view Portlet2 -none- -none- view Page2 -none- view -none- Portlet3 -none- -none- view Portlet4 -none- -none- view

Or you could do:

Object RoleA RoleB Unchecked Page1 view -none- -none- Portlet1 view -none- -none- Portlet2 view -none- -none- Page2 -none- view -none- Portlet3 -none- view -none- Portlet4 -none- view -none-

If you want all four portlets on the same page:

Object RoleA RoleB Unchecked Page1 view -none- -none- Portlet1 view -none- -none- Portlet2 view -none- -none- Portlet3 -none- view -none- Portlet4 -none- view -none-

And as Julien mentioned, the security on the portlets is done at the instance level, not on the window level.

Finally, in jboss-portal.sar/conf/config.xml, change the value of the core.render.window_access_denied entry to 'hide':

<entry key="core.render.window_access_denied">hide</entry>

Without this final change, in the single page scenario the users will see errors for the portlets they are not allowed to view.
Actions

6. Re: Security constraints for portlets

peterj Sep 25, 2006 6:34 PM (in response to mifa)

Oops, saw a problem in the single page scenario -- I forgot to give view access to RoleB. Here are the corrected settings:

Object RoleA RoleB Unchecked
 Page1 view view -none-
 Portlet1 view -none- -none-
 Portlet2 view -none- -none-
 Portlet3 -none- view -none-
 Portlet4 -none- view -none-

Or you could do:

Object RoleA RoleB Unchecked
 Page1 -none- -none- view
 Portlet1 view -none- -none-
 Portlet2 view -none- -none-
 Portlet3 -none- view -none-
 Portlet4 -none- view -none-

7. Re: Security constraints for portlets

franco12 Sep 26, 2006 4:13 AM (in response to mifa)

Thanks a lot Peter
I'm now using ACL on instances and it works great.
Actions
8. Re: Security constraints for portlets

mifa Sep 27, 2006 6:53 AM (in response to mifa)

I want all portlets on the same page.

I have changed jboss-portal.sar/conf/config.xml to "hide"
(hide)
I have created two roles and have assign users to these roles.

Further has created page with two portlets and for everyone portlet has assign
permission. (For Portlet1 - RoleA, Portlet2 - RoleB - as shown in images below)
[img]http://www.mifan.info/rolea.jpg[/img]
[img]http://www.mifan.info/roleb.jpg[/img]

Then I log in in a portal under one of users of RoleA. But I saw both portlets at once, instead of that which should be visible.

Why does not work, what I do wrong?
Actions
9. Re: Security constraints for portlets

peterj Sep 27, 2006 11:01 AM (in response to mifa)

What is the security configuration for the two portlet instances? You never said that you set those.
Actions
10. Re: Security constraints for portlets

mifa Sep 27, 2006 11:47 AM (in response to mifa)
What is the security configuration for the two portlet instances? You never said that you set those.

What do you mean? Have you mean security configuration in *-objects.xml?
I would like just to assign permission for instance on the fly in administrative portlet.

I have created two instances of "News Portlet" and has named them as "Portlet1" and "Portlet2".
Further has created page with two portlets and for everyone portlet has assign permission. (For Portlet1 - RoleA, Portlet2 - RoleB - as shown in images below)

Object RoleA RoleB Unchecked Page1 view view -none- Portlet1 view -none- -none- Portlet2 -none- view -none-

Look at the images:
http://www.mifan.info/rolea.jpg
http://www.mifan.info/roleb.jpg

Or I don't understand something?
Actions
11. Re: Security constraints for portlets

peterj Sep 27, 2006 12:31 PM (in response to mifa)

I did look at the screen shots, which show the security being set for the page. But you never set security for the portlet instances. To do this, in the Management Portlet, click on the Instances link at the top of the window. That will list all of the portlet instances. Scroll or page through the list until you come to the portlets that you want to restict. Then click on the portlet instance name (not the portlet name!), and then click on the Security link on the right-hand side. This will show you roles but with only one access right for each role: view. Set those as indicated in your post.
Actions
12. Re: Security constraints for portlets

mifa Sep 27, 2006 1:49 PM (in response to mifa)

Did I not assign for instances of portlet permission?
I thought when I place instance of portlet on page directly, ?hose instance with mouse and pressed the "security" link, then
assigned permission it is enough of it.

I have made, as you have written and have assign security properties of each instance, but portlets are still visible for all roles. Any ideas what is wrong?
At me it was automatically established security property for the Uncheked-role as visible and I could not change it to unmark.
How it is possible to assign "-none-" for a role?
screenshots:
http://www.mifan.info/i1.jpg
http://www.mifan.info/i2.jpg
Actions
13. Re: Security constraints for portlets

peterj Sep 27, 2006 2:11 PM (in response to mifa)

You granted the 'unchecked' role the 'view' access. Remove that access (hold down the CTRL key while clicking 'view' to remove it).
Actions
14. Re: Security constraints for portlets

mifa Sep 27, 2006 2:36 PM (in response to mifa)

It has turned out! Thanks you Peter! :)
One more question. When I login as the user I can edit properties of portlet, but I granted role as "view" and not as "personalize". In my case it is properties of "news portlet" where I set a new source-url.
I would like that roles could see, but not edit property of portlet.
Actions

1 2 Previous Next

Go to original post