5 Replies Latest reply on Jul 27, 2012 8:18 AM by kenfinni

    Please Help with Jaas

    guga.java

      Hi to all,

       

      I need to implement authentication and authorization in my portlets using JAAS. I am using JBoss Portlet Bridge 2.3.1, JSF 1.2, RichFaces 3.3.3, eXo Platform 3 (JBoss 5.1)

       

      I did a test using a normal web application and everything worked perfectly. However I'm having problems to implement the same scenario with portlets, I read the portlet specification, examples and everything.

       

      I put this in my portlet.xml:

       

      <?xml version="1.0" encoding="UTF-8"?>

      <portlet-app xmlns="http://java.sun.com/xml/ns/portlet/portlet-app_2_0.xsd"

          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

          xsi:schemaLocation="http://java.sun.com/xml/ns/portlet/portlet-app_2_0.xsd http://java.sun.com/xml/ns/portlet/portlet-app_2_0.xsd"

          version="2.0">

       

          <portlet>

              <portlet-name>RichFacesEchoPortlet</portlet-name>

              <portlet-class>javax.portlet.faces.GenericFacesPortlet</portlet-class>

              <init-param>

                  <name>javax.portlet.faces.defaultViewId.view</name>

                  <value>/pages/restrito/iprocess.xhtml</value>

              </init-param>

              <init-param>

                  <name>javax.portlet.faces.preserveActionParams</name>

                  <value>true</value>

              </init-param>

              <expiration-cache>-0</expiration-cache>

              <supports>

                  <mime-type>text/html</mime-type>

                  <portlet-mode>VIEW</portlet-mode>

              </supports>

              <portlet-info>

                  <title>RichFaces Echo Portlet</title>

              </portlet-info>

          </portlet>

         

          <security-constraint id="minhaConstraint">

              <display-name>Portlets Restritos</display-name>

              <portlet-collection>

                  <portlet-name>RichFacesEchoPortlet</portlet-name>

              </portlet-collection>

              <user-data-constraint>

                  <transport-guarantee>CONFIDENTIAL</transport-guarantee>

              </user-data-constraint>

          </security-constraint>

       

      ...

       

      And I put this in my web.xml:

       

      <security-constraint id="SecurityConstraint_1">

              <web-resource-collection id="WebResourceCollection_1">

                  <web-resource-name>Protected Area</web-resource-name>

                  <url-pattern>/RichFacesEchoPortlet/*</url-pattern>

              </web-resource-collection>

              <auth-constraint id="AuthConstraint_1">

                  <role-name>adm</role-name>

              </auth-constraint>

          </security-constraint>

       

      <login-config>

              <auth-method>FORM</auth-method>

              <form-login-config>

                  <form-login-page>/pages/login.xhtml</form-login-page>

                  <form-error-page>/pages/login.xhtml</form-error-page>

              </form-login-config>

          </login-config>

       

          <security-role>

              <role-name>adm</role-name>

          </security-role>

       

      But the portlet RichFacesEchoPorlet are being called without asking for login.

       

      Can anyone give me any tips?

        • 1. Re: Please Help with Jaas
          bdaw

          You cannot use JAAS like this. Web application you are accessing is portal itself - then it renders portlet. In your portlet application you can consume identity of user logged into portal.

          You have 3 choices

           

          1) Portlet spec lets you map role from JAAS that can be checked with isUserInRole() - then you implement restriction yourself.

          2) In GateIn you can use Organization API to check user groups and restrict access to certain operations on portlet level yourself

          3) In GateIn you can use app level permissions (Application Registry) or Page level restrictions to secure access to your content - therefore to access page where your portlet is user will be required to login in portal. Try going into one of portal administration pages when logged as root/gtn. Then logout and access same URL - this will be such behaviour.

          • 2. Re: Please Help with Jaas
            guga.java

            Hi,

             

            Please for you comment!

             

            The user will not and can not interact with the functionalities of the portal. He will need to log in to access only a limited functionality of a specific portlet.

             

            The user can't use the login of portal, I need use the custom login with JAAS.

             

            Sorry if I was unable to explain the problem right

            • 3. Re: Please Help with Jaas
              kenfinni

              What Boleslaw is saying that the JAAS integration must occur at the portal level, and then the portlet uses that security information to restrict access.

               

              So the custom JAAS login occurs on the entire portal.  It's not possible with the portlet spec to secure a single portlet separately from the entire portal.

              • 4. Re: Please Help with Jaas
                guga.java

                Ok, I understand. Thanks for your reply!

                 

                When the user logs into the portal, even with a group without any privileges the portal admin menu appears to the user.
                I need to log in which the admin menu does not appear to the user. because the user need to be logged, but will not interarir with portal resources.

                • 5. Re: Please Help with Jaas
                  kenfinni

                  It sounds like the permissions may be a bit messed up, as a non Admin user should not be seeing the Admin menu when they login.

                   

                  You would be best to open a new thread for any security related questions on GateIn in the User Forums.