1 2 Previous Next 26 Replies Latest reply on Apr 2, 2007 4:19 PM by Peter Johnson

    Security constraints for portlets

    Michael DNS Newbie

      Hi All,

      I wish to make so that only the certain users or roles could see and have access to portlets.
      For example for a role "roleA" are visible only portlet "Portlet1" and "Portlet2", and for a role "roleB" portlet "Portlet2", "Portlet3".
      There it is possible to establish only four levels of security: view, viewrecursive, personalize and personalizerecursive.
      But I cannot assign in a porltet management a security condition of portlets for role as "no view" or "no permission".
      How it is possible to solve this problem?

      Many thanks,
      Michael

        • 1. Re: Security constraints for portlets
          françois LEFEVRE Newbie

          I got the same problem

          ACL are working for 'pages' but not for 'windows'.

          I'm also unable to find the link to create a user.




          < I'm using JBoss Portal 2.4.0-GA (bundle with AS) on Windows >

          • 2. Re: Security constraints for portlets
            françois LEFEVRE Newbie

             

            I'm also unable to find the link to create a user.


            sorry !
            I found it :)

            François

            • 3. Re: Security constraints for portlets
              Viet Master

              Yes ACL is not effective for windows. You should rather use ACL for instances.

              We made that choice to keep security configuration not redundant.

              • 4. Re: Security constraints for portlets
                Michael DNS Newbie

                What is ACL?

                If I have correctly understood, it can be made all my stuff by editing *-objects.xml only by hand.
                Is it possible to solve it by program way ( for example to write administrative portlet)?
                I.e. whether is in a jboss portal necessary API by means of which I can operate *-objects.xml (assign security constraints for portlets) in life?

                • 5. Re: Security constraints for portlets
                  Peter Johnson Master

                  Did you want all four portlets on the same page or on different pages?

                  For different pages, set it up as follows:

                  Object RoleA RoleB Unchecked
                   Page1 view -none- -none-
                   Portlet1 -none- -none- view
                   Portlet2 -none- -none- view
                   Page2 -none- view -none-
                   Portlet3 -none- -none- view
                   Portlet4 -none- -none- view

                  Or you could do:

                  Object RoleA RoleB Unchecked
                   Page1 view -none- -none-
                   Portlet1 view -none- -none-
                   Portlet2 view -none- -none-
                   Page2 -none- view -none-
                   Portlet3 -none- view -none-
                   Portlet4 -none- view -none-


                  If you want all four portlets on the same page:

                  Object RoleA RoleB Unchecked
                   Page1 view -none- -none-
                   Portlet1 view -none- -none-
                   Portlet2 view -none- -none-
                   Portlet3 -none- view -none-
                   Portlet4 -none- view -none-


                  And as Julien mentioned, the security on the portlets is done at the instance level, not on the window level.

                  Finally, in jboss-portal.sar/conf/config.xml, change the value of the core.render.window_access_denied entry to 'hide':

                  <entry key="core.render.window_access_denied">hide</entry>


                  Without this final change, in the single page scenario the users will see errors for the portlets they are not allowed to view.

                  • 6. Re: Security constraints for portlets
                    Peter Johnson Master

                    Oops, saw a problem in the single page scenario -- I forgot to give view access to RoleB. Here are the corrected settings:

                    Object RoleA RoleB Unchecked
                     Page1 view view -none-
                     Portlet1 view -none- -none-
                     Portlet2 view -none- -none-
                     Portlet3 -none- view -none-
                     Portlet4 -none- view -none-


                    Or you could do:

                    Object RoleA RoleB Unchecked
                     Page1 -none- -none- view
                     Portlet1 view -none- -none-
                     Portlet2 view -none- -none-
                     Portlet3 -none- view -none-
                     Portlet4 -none- view -none-



                    • 7. Re: Security constraints for portlets
                      françois LEFEVRE Newbie

                      Thanks a lot Peter
                      I'm now using ACL on instances and it works great.

                      • 8. Re: Security constraints for portlets
                        Michael DNS Newbie

                        I want all portlets on the same page.

                        I have changed jboss-portal.sar/conf/config.xml to "hide"
                        (hide)
                        I have created two roles and have assign users to these roles.

                        Further has created page with two portlets and for everyone portlet has assign
                        permission. (For Portlet1 - RoleA, Portlet2 - RoleB - as shown in images below)
                        [img]http://www.mifan.info/rolea.jpg[/img]
                        [img]http://www.mifan.info/roleb.jpg[/img]

                        Then I log in in a portal under one of users of RoleA. But I saw both portlets at once, instead of that which should be visible.

                        Why does not work, what I do wrong?

                        • 9. Re: Security constraints for portlets
                          Peter Johnson Master

                          What is the security configuration for the two portlet instances? You never said that you set those.

                          • 10. Re: Security constraints for portlets
                            Michael DNS Newbie

                             

                            What is the security configuration for the two portlet instances? You never said that you set those.


                            What do you mean? Have you mean security configuration in *-objects.xml?
                            I would like just to assign permission for instance on the fly in administrative portlet.

                            I have created two instances of "News Portlet" and has named them as "Portlet1" and "Portlet2".
                            Further has created page with two portlets and for everyone portlet has assign permission. (For Portlet1 - RoleA, Portlet2 - RoleB - as shown in images below)



                            Object RoleA RoleB Unchecked
                             Page1 view view -none-
                             Portlet1 view -none- -none-
                             Portlet2 -none- view -none-
                            


                            Look at the images:
                            http://www.mifan.info/rolea.jpg
                            http://www.mifan.info/roleb.jpg

                            Or I don't understand something?

                            • 11. Re: Security constraints for portlets
                              Peter Johnson Master

                              I did look at the screen shots, which show the security being set for the page. But you never set security for the portlet instances. To do this, in the Management Portlet, click on the Instances link at the top of the window. That will list all of the portlet instances. Scroll or page through the list until you come to the portlets that you want to restict. Then click on the portlet instance name (not the portlet name!), and then click on the Security link on the right-hand side. This will show you roles but with only one access right for each role: view. Set those as indicated in your post.

                              • 12. Re: Security constraints for portlets
                                Michael DNS Newbie

                                Did I not assign for instances of portlet permission?
                                I thought when I place instance of portlet on page directly, ?hose instance with mouse and pressed the "security" link, then
                                assigned permission it is enough of it.

                                I have made, as you have written and have assign security properties of each instance, but portlets are still visible for all roles. Any ideas what is wrong?
                                At me it was automatically established security property for the Uncheked-role as visible and I could not change it to unmark.
                                How it is possible to assign "-none-" for a role?
                                screenshots:
                                http://www.mifan.info/i1.jpg
                                http://www.mifan.info/i2.jpg

                                • 13. Re: Security constraints for portlets
                                  Peter Johnson Master

                                  You granted the 'unchecked' role the 'view' access. Remove that access (hold down the CTRL key while clicking 'view' to remove it).

                                  • 14. Re: Security constraints for portlets
                                    Michael DNS Newbie

                                    It has turned out! Thanks you Peter! :)
                                    One more question. When I login as the user I can edit properties of portlet, but I granted role as "view" and not as "personalize". In my case it is properties of "news portlet" where I set a new source-url.
                                    I would like that roles could see, but not edit property of portlet.

                                    1 2 Previous Next