4 Replies Latest reply on Mar 18, 2008 9:31 AM by joe_the_quick

security-constraints not working at the page level (*-object

joe_the_quick Nov 12, 2007 5:57 PM

hi there,

If I add the Authenticated-role to a page (using Jboss Portal 2.6.2 GA), it seems to simply get ignored:

test-object.xml:
<?xml version="1.0" encoding="UTF-8"?>

<if-exists>overwrite</if-exists>
<parent-ref>default</parent-ref>

<page-name>HelloWorld</page-name>

<window-name>HelloWorldPortletWindow</window-name>
<instance-ref>HelloWorldPortletInstance</instance-ref>
center
0

<security-constraint>
<policy-permission>
<role-name>Authenticated</role-name>
<action-name>view</action-name>
</policy-permission>
</security-constraint>

The role is added to portlet.xml and can be verified using request.isUserInRole("Authenticated").
If I add the same role to the portlet-instances.xml, then it works immediately:

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<!DOCTYPE deployments PUBLIC
"-//JBoss Portal//DTD Portlet Instances 2.6//EN"
"http://www.jboss.org/portal/dtd/portlet-instances_2_6.dtd">

<if-exists>overwrite</if-exists>

<instance-id>HelloWorldPortletInstance</instance-id>
<portlet-ref>HelloWorldPortlet</portlet-ref>
<security-constraint>
<policy-permission>
<role-name>Authenticated</role-name>
<action-name>view</action-name>
</policy-permission>
</security-constraint>

Environment info:
Jboss 4.0.5 GA
Jboss Portal 2.6.2 GA
JDK 1.5

Could it be that the page-level security is no longer working with Jboss Portal 2.6.2 GA?

I read in an earlier post, that the unchecked access using "read recursive" has to be disabled from the default-portal, but I believe that the role security should be way stronger than any default configuration.

1. Re: security-constraints not working at the page level (*-ob

theute Nov 13, 2007 3:39 AM (in response to joe_the_quick)

What are you trying to achieve ?
Actions
2. Re: security-constraints not working at the page level (*-ob

joe_the_quick Nov 14, 2007 4:54 AM (in response to joe_the_quick)

Thank you for the quick reply.

I simply would like to protect a page to allow access only for authenticated users with the role "Authenticated".

The protection of pages should be possible according to the docs (
http://docs.jboss.com/jbportal/v2.6.2/referenceGuide/html_single/, 6.4. Descriptor Examples)

best regards,
johannes
Actions
3. Re: security-constraints not working at the page level (*-ob

theute Nov 14, 2007 5:10 AM (in response to joe_the_quick)

So you just need to set:
- view (not recursive) right on the portal for anybody
- viewrecursive for 'authenticated" on your page
Actions
4. Re: security-constraints not working at the page level (*-ob

joe_the_quick Mar 18, 2008 9:31 AM (in response to joe_the_quick)

"thomas.heute@jboss.com" wrote:
So you just need to set:
- view (not recursive) right on the portal for anybody
- viewrecursive for 'authenticated" on your page

Dear Thomas,

This works, but the usual configuration for our portal would be
*) allow all users read access to the pages, where no security-constraints are defined (=default configuration of Jboss Portal)

*) if page-level security-constraints are set, these should really secure the page

On the portlet-instance level, this works perfectly and as expected. However, why does this not work the same way for portlet pages?
I just tested this for Jboss Portal 2.6.4, and the behaviour has not changed.

Thank you very much for your response &
best regards,
Johannes
Actions

Go to original post

JBossDeveloper

security-constraints not working at the page level (*-object

**1. Re: security-constraints not working at the page level (*-ob**

**2. Re: security-constraints not working at the page level (*-ob**

**3. Re: security-constraints not working at the page level (*-ob**

**4. Re: security-constraints not working at the page level (*-ob**