0 Replies Latest reply on Nov 28, 2005 5:30 AM by Francesco Tumanischvili

    Portlet selective security

    Francesco Tumanischvili Newbie

      Hi,

      I am struggling to get security applied to my jboss-deployed portlets; as far as I understand what needs to be done according to jboss portal spec and forums is summarized below. I hope the summary could help others with their similar issues

      -------------------------------------------------

      Jboss specific security handling:

      1) edit jboss-portlet.xml adding a security tag like:

      <security>
       <model>
       <permission-description>
       <permission-name>write</permission-name>
       <description>Writing permission</description>
       <implies>read</implies>
       </permission-description>
       <permission-description>
       <permission-name>read</permission-name>
       <description>Reading permission</description>
       </permission-description>
       </model>
       <scheme>
       <domain></domain>
       <item>
       <path>/</path>
       <permission>
       <permission-name>read</permission-name>
       <role-name>Authenticated</role-name>
       </permission>
       <permission>
       <permission-name>write</permission-name>
       <role-name>Authenticated</role-name>
       </permission>
       </item>
       </scheme>
      </security>


      2) check security in the portlet by using jboss-specific

      JBossRenderRequest.hasPermission("write")

      or

      JBossActionRequest.hasPermission("write")

      in any of processAction, render, etc, casting RenderRequest/ActionRequest or using a jboss implementation of the Portlet interface.
      ------------------------------
      I have tried that but for some reason JBossActionRequest.hasPermission("write") ALWAYS returns true (actually providing whatever string as argument I get true as well: JBossActionRequest.hasPermission("notExistiongRole")).

      Any idea of what I am doing wrong?

      I have seen a couple of topics with similar problems but with no reply.

      Browsing the forum I have noticed that some people suggest that the tag
      <content-provide-class> child of <model>
      is mandatory. Is that true? what is the meaning of the tag?

      To have it working is it mandatory to extend JBossPortlet and use its renderMethod(JBossActionRequest,JBossActionResponse) or is it possible to normally extend GenericPortlet and cast the request?

      Is any further step needed?

      ------------------------------
      ------------------------------

      JSR168 compliant security handling:

      Another chance, I believe, would be to use not jboss specific code inside the portlet using

      isUserInRole(String)


      reading forums and spec it seems like that you must add

      <security-role-ref>
       <role-name>Authenticated</role-name>
      </security-role-ref>


      to your portlet.xml

      and define
      <security-role>
      entries in the application web.xml

      in topic http://www.jboss.com/index.html?module=bb&op=viewtopic&t=61109 though it seems that version 4.01 had a bug in isUserInRole() fixed in 4.02beta
      ------------------------------
      I am using 4.02 but I cannot get isUserInRole to work. any idea?

      is this approach used and suggested by jboss portal team?

      ------------------------------
      ------------------------------

      A related topic and newbie question regards having security handled either by the portal or anyway by deployment descriptors or whatever, not be forced to have security code inside the portlet.

      I have succeded implementing security for all my portal (jboss default portal) by editing

      portal-server.war/WEB-INF/web.xml changing

      <security-constraint>
       <web-resource-collection>
       <web-resource-name>Authenticated</web-resource-name>
       <description></description>
       <url-pattern>/auth/*</url-pattern>
       </web-resource-collection>
       <auth-constraint>
       <role-name>Authenticated</role-name>
       </auth-constraint>
       </security-constraint>


      into

      <security-constraint>
       <web-resource-collection>
       <web-resource-name>Authenticated</web-resource-name>
       <description></description>
       <url-pattern>/*</url-pattern>
       </web-resource-collection>
       <auth-constraint>
       <role-name>Authenticated</role-name>
       </auth-constraint>
       </security-constraint>


      which allows me to protect access to ALL resources mapped to /portal/* urls.

      One thing I still don't understand is how to selectively provide security to portlets inside a portal in this way.

      Let's say I specify a
      <url-pattern>/auth/*</url-pattern>
      (the default) in web.xml of portal-server;

      in this case all resources under auth/ will be authenticated. But reading spec, docs and forums, it seems like that the only way to map an url to a porlet is by using

      .../portal/index.html?...etc..

      This obviously makes impossible to have portlets selectively authenticated through the standard security mechanism.

      a) Is there a way to achieve selective portlet authentication through jboss portal security?

      b) Is there instead any other way to achieve portlet authentication through some mechanism that allows security definition at deploy time, thus avoiding wirting ANY java code inside the portlet.

      This would be helpful to mantain portlets non specific to a deployment environment, I believe, but I am sorry if the question is wrong because I am yet confused about this.


      Thanks

      Francesco