6 Replies Latest reply on Aug 9, 2007 4:32 PM by peterj

    Securing Portal Page - please help!

    nitesh

      Hi,

      I'm trying to secure a portal page so that it requires login with the role "Authenticated" that JBoss Portal 2.6.1 comes with. I've followed the instructions on the JBoss Portal Reference Manual http://docs.jboss.com/jbportal/v2.6/referenceGuide/html/security.html

      However, I'm unable to secure access to the portal page. This is what I have done so far:

      In my portal-object.xml:

      <?xml version="1.0" encoding="UTF-8"?>
      <deployments>
       <deployment>
       <if-exists>overwrite</if-exists>
       <parent-ref>default</parent-ref>
       <properties/>
      
       <page>
       <page-name>My Portal</page-name>
       <window>
       <window-name>MyPortletPageWindow</window-name>
       <instance-ref>MyPortletInstance</instance-ref>
       <region>center</region>
       <height>0</height>
       </window>
      
       <security-constraint>
       <policy-permission>
       <role-name>Authenticated</role-name>
       <action-name>view</action-name>
       </policy-permission>
       </security-constraint>
       </page>
       </deployment>
      </deployments>
      


      Can someone please point out what I'm missing or if there is an extra step involved?

      Thanks,

      Nitesh

        • 1. Re: Securing Portal Page - please help!
          peterj

          Looks like you added this page to the portal named 'default'. That portal has its access permission set to 'view recursive' for the 'Unknown' role. This means that anyone will be able to access all pages in the portal.

          Change the access permissions on the portal, removing all access from 'Unknown', and setting 'view' and 'personalize' on the role 'User'. You might also have to set the access right for the existing pages.

          • 2. Re: Securing Portal Page - please help!
            peterj
            • 3. Re: Securing Portal Page - please help!
              nitesh

              Thanks for your reply, Peter. How do I change the attributes of the 'default' portal?

              • 4. Re: Securing Portal Page - please help!
                peterj

                Hmm, if I had this question, I would probably say to myself "Self, maybe this is documented somewhere." And behold, I would be right! The creators of the Portal anticipated this question and have a whole section in one of the documents on security and how to manage access control on portals and pages.

                • 5. Re: Securing Portal Page - please help!
                  nitesh

                  If you read my original posting, you'll see that I've already quoted the Jboss Portal Security documentation link. The problem is not that I cannot create a portal page or I cannot assign security constraints. The problem is that the assigned security constraints do not work as expected. I want to force a login before my portal page can be accessed.

                  You've made reference to changing the access permission of the 'default' portal, which is the parent portal of my page. However, nowhere is it documented how the 'default' portal is configured. Is it configured in [JBoss_Home]\server\default\deploy\jboss-portal.sar\portal-server.war\WEB-INF? In that file, there is reference to PortalServletWithPathMapping servlet. Does the security constraints of this servlet need to be changed?

                  • 6. Re: Securing Portal Page - please help!
                    peterj

                    I would bring up the portal, log in as admin, click on the admin link to get to the admin portal, 'home' page, and play with the security settings on the 'default' portal and its pages until I get the proper behavior. Once I had the proper settings figured out, I might consider editing the jboss-portal.sar/conf/data/default-object.xml file to apply the security settings. Of course, changing the settings in that file might not work unless you are starting off with a clean installation, even with setting 'if-exists' to 'overwrite'. (I am not very trusting of 'overwrite', some changes seem to go through ok, others just don't make it.) But if your are attempting to put together a custom portal to deploy, that file is the perfect place to make such changes.

                    As an example of limiting access to a page, I changed the access control for the 'default' portal as follows:

                    default portal: Unchecked has view and personalize access
                    pages:
                    * default - Unchecked has viewrecursive access
                    * news - Admins and Users have view access
                    * weather - Unchecked has viewrecursive access

                    When noone is logged in, only the 'default' and 'weather' pages are accessible (only those two tabs show up). If I log in as admin or user, all three pages (tabs) are visible. Thus, I have set up the news page to require login before it can be accessed.

                    Note that a page's tab does not show up unless the user has access. As far as I know, there is no way to have the tab show up and when the user clicks on it, to display the login prompt.

                    The one thing that surprised me was that I had to give Administrators view access to the news page. I recall in 2.4 that this was not necessary (though my memory could be off, it has been months since I have done an exhaustive analysis of how security works in 2.4). I seem to recall that in 2.4 the "users" role was a special roll encompassing anyone who was logged in, now it appears to be a normal role like any other.

                    Hope this helps.