-
1. Re: Declarative Security and Portlets
julien1 Feb 22, 2007 6:38 PM (in response to karink)Hi,
first portlets are not bound to URLs so they cannot be secured via web.xml. The only thing done in relation with the servlet world is that the user authenticated against the portal servlet and when he access a portlet (in the local case) the request user principal and the roles are propagated to the portlet, so you can apply programmatic security in your portlet. Then the spec does not define anything else than that.
In JBoss Portal portlets are secured via the concept of portlet instance. The main reason is that it gives more flexibility than securing a portlet, since securing a portlet is done at deployment time and an instance has a life cycle which is more dynamic.
In the WSRP world, how security is done is unclear. I think that the ideal scenario is to have security propagation between the consumer and the producer using either a WS spec or the HTTP transport authentication (we have a JIRA task for that but not scoped at 2.6)
In future releases we'll add security per consumer registration. So you will be able to expose a set of portlets to a particular consumer. Due to the non triviallity of this task we will make it for 3.0 probably. Actually we will need to visit the different use cases for security in the producer part.
Beside that JBoss Portal has a flexible architecture so it is possible to add a portlet container interceptor to apply security before a portlet is reached. -
2. Re: Declarative Security and Portlets
karink Feb 26, 2007 7:26 AM (in response to karink)Hi Julien,
just to summarize your answer and to verify if I understood you correctly
1) There is no role-based declarative security for portlets defined by portlet spec.
2) For local portlets in JBoss Portal it is solved by securing portlet instances.
3) For WSRP, JBoss Portal has no solution currently. Neither propagation
of a User id, nor role based access control is solved. If we need something
there, we should implement it ourselves.
Regards
Karin -
3. Re: Declarative Security and Portlets
mageshbk Feb 27, 2007 5:19 AM (in response to karink)Please find my answers inline:
>>>1) There is no role-based declarative security for portlets defined by portlet spec.
Yes
>>>2) For local portlets in JBoss Portal it is solved by securing portlet instances.
Yes
>>>3) For WSRP, JBoss Portal has no solution currently. Neither propagation of a User id, nor role based access control is solved. If we need something there, we should implement it ourselves.
Yes -
4. Re: Declarative Security and Portlets
tellarsrinivasprabhu Aug 31, 2007 6:32 AM (in response to karink)Hi mageshbk,
can you restate above 3 points with respect to jboss portal 2.6.1.
have things changed ? Especially role-based declarative security for portlets ?
thanks -
5. Re: Declarative Security and Portlets
theute Aug 31, 2007 9:17 AM (in response to karink)The question was about declarative security *from the spec*, the spec hasn't change.
Declarative security for portlet instance, and portal objects exist since the beginning in JBoss Portal.