3 Replies Latest reply on Sep 9, 2011 11:19 AM by infoni

How to link Gatein security roles to portlet roles

infoni Aug 29, 2011 12:38 PM

Hi,

Could anyone explain how to link Gatein security roles to portlet roles. I use gatein3.2 with tomcat 6 & 7, on windows.

My portlet application uses following roles: [administrator, manager, poweruser, standard]. Conformly portlet specifications in portlet.xml i linked these roles with default gatein roles [manager, validator, member]:

<security-role-ref> <role-name>administrator</role-name> <role-link>manager</role-link> </security-role-ref>

<security-role-ref> <role-name>manager</role-name> <role-link>validator</role-link> </security-role-ref>

<security-role-ref> <role-name>poweruser</role-name> <role-link>member</role-link> </security-role-ref>

<security-role-ref> <role-name>standard</role-name> <role-link>member</role-link> </security-role-ref>

In Gatein Portlet Administration page, i set [manager, validator, member] roles for root group "/platform/administrators" on my portlet.

In portlet JSP pages, when connected as root, renderRequest.isUserInRole("administrator") returns false

renderRequest.isUserInRole("manager") returns false

These steps work with Jahia and Liferay (with liferay-portlet.xml), did i miss something for Gatein? May be a specific configuration file or something to add in web.xml? Any help will be much appreciated!

thanks

1. Re: How to link Gatein security roles to portlet roles

infoni Sep 7, 2011 3:32 PM (in response to infoni)

So nobody knows how we can link Gatein security roles to portlet roles? I wouldnt like to open a new jira issue if i just stupidly missed a specific configuration file :/
I ask a last time before JIRA

In more simple steps:

0/ declare a role in web.xml: <security-role> <description>Managers description</description> <role-name>manager</role-name> </security-role>

1/ declare a role in portlet xml: <security-role-ref> <role-name>manager</role-name> <role-link>manager</role-link> </security-role-ref>

2/ In Gatein Portlet Administration UI: set [manager] role on your portlet for root group "/platform/administrators"

3/ In any portlet JSP page, logged as root: renderRequest.isUserInRole("manager") returns false whereas it should return true
Actions
2. Re: How to link Gatein security roles to portlet roles

mposolda Sep 8, 2011 2:02 AM (in response to infoni)

Hi,

It seems there is little confusion. "member", "manager" and "validator" are membership types, when "/platform/administrators" and "/platform/users" are groups. Groups, membership type and user together creates membership. So membership means "user john is manager of group /platform/administrators".

Portlet roles and web j2ee roles are taken from groups, not from membership types. There is special component called RolesExtractor, which is used for this mapping. In your case, users from "/platform/administrators" are mapped to role "administrators" not to role "manager".

More info about RolesExtractor and GateIn identity is here http://community.jboss.org/wiki/GateInIdentityAndSecurityFAQ especially Q3. Other useful informations are in GateIn reference guide.

Hope this helps,
Marek
1 of 1 people found this helpful
Actions
3. Re: How to link Gatein security roles to portlet roles

infoni Sep 9, 2011 11:19 AM (in response to infoni)

Marek,

thank you very much for your answer.
I replaced in portlet.xml my previous code with:

<security-role-ref> <role-name>administrator</role-name> <role-link>administrators</role-link> </security-role-ref>
<security-role-ref> <role-name>standard</role-name> <role-link>users</role-link> </security-role-ref>

and indeed it works, administrator and standard role are now recognized in my portlet application! I created also a new /platform/powerusers group, and then portlet power users are recognized too. I believed portlet roles were mapped with memberships, not with groups.

thanks a lot
Actions

Go to original post