Apologies; forgot to state that I am trying this in portal 2.6.0-DR1, however I have tried it in 2.4 and get the same thing when I try to hit the Admin page after logging in.

Thanks

OK,

Not much feedback here :) However, I have made some progress. The default portal page that I log in to contains a number of custom pages and portlets that I have deployed. If I add a security constraint to any of these pages (in the object.xml of the page definiton) where I do not have the stated security role, the page is no longer visible on login. However, in the 'pages' portlet on the default page I can still see a link to the secured page. If I click that link, I get the Http 401 error experienced when trying to open the Admin page. If I change the security setting to be a role I have in LDAP, I can see the pages again as tabs in the default page, all good.

This 401 error seems to be returned when I do not have the required role to access the page/resource, a strange error to receive, I thought this error was thrown for BASIC authentication, which I didn't know was being used. I use FORM authentication on portal login.

The problem is, I still can't access the Admin page. Now, I'd like to change the role for the Admin page in portal 2.4 to 'Authenticated' to test the security, but can't find an object.xml that defines that page? Without this, I don't know how to change the required role for the admin page.

Does anyone know where the Admin page is configured and where the security constraint is for that page? Or, does anyone know the name of the required role (probably Admin?) so I can maybe create that group in LDAP so I can log in to the admin page.

Any help would be appreciated.

Thanks

Hi,

Thanks for the reply. That was stupid of me not to search for *-object.xml!

Anyway, I have changed the security constraints there to match with a role I know works in the portal; so changed from Admin to WorkingRole, and I still don't seem to log in with the admin page available :

<deployment>
 <if-exists>keep</if-exists>
 <parent-ref>default</parent-ref>
 <page>
 <page-name>Admin</page-name>
 <window>
 <window-name>NavigationPortletWindow</window-name>
 <instance-ref>NavigationPortletInstance</instance-ref>
 <region>navigation</region>
 <height>0</height>
 <!-- keep portal and page properties for this window -->
 <properties>
 <!-- use the window renderer from the emptyRenderer renderSet -->
 <property>
 <name>theme.windowRendererId</name>
 <value>emptyRenderer</value>
 </property>
 <!-- use the decoration renderer from the emptyRenderer renderSet -->
 <property>
 <name>theme.decorationRendererId</name>
 <value>emptyRenderer</value>
 </property>
 <!-- use the portlet renderer from the emptyRenderer renderSet -->
 <property>
 <name>theme.portletRendererId</name>
 <value>emptyRenderer</value>
 </property>
 </properties>
 </window>
 <window>
 <window-name>UserPortletWindow</window-name>
 <instance-ref>UserPortletInstance</instance-ref>
 <region>left</region>
 <height>0</height>
 </window>
 <window>
 <window-name>RolePortletWindow</window-name>
 <instance-ref>RolePortletInstance</instance-ref>
 <region>left</region>
 <height>1</height>
 </window>
 <window>
 <window-name>CatalogPortletWindow</window-name>
 <instance-ref>CatalogPortletInstance</instance-ref>
 <region>left</region>
 <height>2</height>
 </window>
 <window>
 <window-name>ManagementPortletWindow</window-name>
 <instance-ref>ManagementPortletInstance</instance-ref>
 <region>center</region>
 <height>0</height>
 </window>
 <window>
 <window-name>CMSAdminPortletWindow</window-name>
 <instance-ref>CMSAdminPortletInstance</instance-ref>
 <region>center</region>
 <height>1</height>
 </window>
 <security-constraint>
 <policy-permission>
 <role-name>WorkingRole</role-name>
 <action-name>viewrecursive</action-name>
 </policy-permission>
 </security-constraint>
 </page>
 </deployment>

Thanks,

I can now see the Admin Page! However :) I don't have access to the portlets on the page!! I just get access denied on two of the portlets and

Sorry, you do not have access to this function.

Thanks for that,

I can't believe a role is hardcoded in there! :) I wonder how other people have dealt with this if they have used AD/LDAP to hold the roles for the portal? You can't be expected to create a role in the AD of an organisation called Admin!

All the best

Hey,

I was previously using the built in HSQL db, so to test out whether the db config was causing the security issues I swapped the portal datasource to MSSQL, when the portal rebuilt the db I can now access all portlets in the admin page, with the exception of the Role Portlet, which fits with Peter's comment that the portlet has a hard coded role in there and the existing db config meant the changed -object.xml's settings were being ignored. So, I am very close to having what I want! :)

Thomas, I'm not sure I follow your point? I don't want application roles and user roles. I want one set of roles (groups), configured in AD to place users in so they have access to portal resources. The way I am doing that is working fine; my custom AD module gets the roles the user belongs to on login and they are used to protect/grant access to the appropriate resources in the portal. The problem is the hard coded role in the role portlet?

If you could elaborate that would be great. I will however look in to JAAS and its use in portlets :)

Thanks,
Paul

Had a think about this; are you talking about using security-role-ref's?

So, use something like:

<security-role-ref>
 <role-name>MyLDAPRoleToCheck</role-name>
 <role-link>Admin</role-link>
 </security-role-ref>