Apologies; forgot to state that I am trying this in portal 2.6.0-DR1, however I have tried it in 2.4 and get the same thing when I try to hit the Admin page after logging in.
Not much feedback here :) However, I have made some progress. The default portal page that I log in to contains a number of custom pages and portlets that I have deployed. If I add a security constraint to any of these pages (in the object.xml of the page definiton) where I do not have the stated security role, the page is no longer visible on login. However, in the 'pages' portlet on the default page I can still see a link to the secured page. If I click that link, I get the Http 401 error experienced when trying to open the Admin page. If I change the security setting to be a role I have in LDAP, I can see the pages again as tabs in the default page, all good.
This 401 error seems to be returned when I do not have the required role to access the page/resource, a strange error to receive, I thought this error was thrown for BASIC authentication, which I didn't know was being used. I use FORM authentication on portal login.
The problem is, I still can't access the Admin page. Now, I'd like to change the role for the Admin page in portal 2.4 to 'Authenticated' to test the security, but can't find an object.xml that defines that page? Without this, I don't know how to change the required role for the admin page.
Does anyone know where the Admin page is configured and where the security constraint is for that page? Or, does anyone know the name of the required role (probably Admin?) so I can maybe create that group in LDAP so I can log in to the admin page.
Any help would be appreciated.
The Admin page is defined in jboss-portal.sar/conf/data/default-object.xml.
Thanks for the reply. That was stupid of me not to search for *-object.xml!
Anyway, I have changed the security constraints there to match with a role I know works in the portal; so changed from Admin to WorkingRole, and I still don't seem to log in with the admin page available :
<deployment> <if-exists>keep</if-exists> <parent-ref>default</parent-ref> <page> <page-name>Admin</page-name> <window> <window-name>NavigationPortletWindow</window-name> <instance-ref>NavigationPortletInstance</instance-ref> <region>navigation</region> <height>0</height> <!-- keep portal and page properties for this window --> <properties> <!-- use the window renderer from the emptyRenderer renderSet --> <property> <name>theme.windowRendererId</name> <value>emptyRenderer</value> </property> <!-- use the decoration renderer from the emptyRenderer renderSet --> <property> <name>theme.decorationRendererId</name> <value>emptyRenderer</value> </property> <!-- use the portlet renderer from the emptyRenderer renderSet --> <property> <name>theme.portletRendererId</name> <value>emptyRenderer</value> </property> </properties> </window> <window> <window-name>UserPortletWindow</window-name> <instance-ref>UserPortletInstance</instance-ref> <region>left</region> <height>0</height> </window> <window> <window-name>RolePortletWindow</window-name> <instance-ref>RolePortletInstance</instance-ref> <region>left</region> <height>1</height> </window> <window> <window-name>CatalogPortletWindow</window-name> <instance-ref>CatalogPortletInstance</instance-ref> <region>left</region> <height>2</height> </window> <window> <window-name>ManagementPortletWindow</window-name> <instance-ref>ManagementPortletInstance</instance-ref> <region>center</region> <height>0</height> </window> <window> <window-name>CMSAdminPortletWindow</window-name> <instance-ref>CMSAdminPortletInstance</instance-ref> <region>center</region> <height>1</height> </window> <security-constraint> <policy-permission> <role-name>WorkingRole</role-name> <action-name>viewrecursive</action-name> </policy-permission> </security-constraint> </page> </deployment>
Do you know if changing the values in that file and restarting the server would take effect, or anything else that is required?
You need to specify:
I can now see the Admin Page! However :) I don't have access to the portlets on the page!! I just get access denied on two of the portlets and
Sorry, you do not have access to this function.
on the Role Management portlet
If anyone has changed the role of the portlets before and knows how to do that it would be much appreciated. I will search around to see what I can find. I am seriously hoping that having logged in using JAAS that I don't have to do some other security step just to gain access to these portlets.
Step by Step,
To be on the safe side, I would reinstall the portal from scratch. Sometimes changes made in the *-object.xml file just don't get reflected because the database already contains other settings.
The Role Management portlet has the "Admin" role hard-coded. You would have to change this line in the file ./core/src/main/org/jboss/portal/core/portlet/role/RolePortlet.java:
private static final String ADMIN_ROLE = "Admin";
As far as I know, that is the only place where the "Admin" role is hard-coded.
Thanks for that,
I can't believe a role is hardcoded in there! :) I wonder how other people have dealt with this if they have used AD/LDAP to hold the roles for the portal? You can't be expected to create a role in the AD of an organisation called Admin!
All the best
You are mixing application roles and user roles.
Your defined roles to your users, let's say "Managers" and then you need to map those roles to the application roles (here "Admin").
See JAAS and the portlet spec to see how you can map your roles
(This is not the best design here though since you need to modify internal configuration files but you don't need to touch the java file)
I was previously using the built in HSQL db, so to test out whether the db config was causing the security issues I swapped the portal datasource to MSSQL, when the portal rebuilt the db I can now access all portlets in the admin page, with the exception of the Role Portlet, which fits with Peter's comment that the portlet has a hard coded role in there and the existing db config meant the changed -object.xml's settings were being ignored. So, I am very close to having what I want! :)
Thomas, I'm not sure I follow your point? I don't want application roles and user roles. I want one set of roles (groups), configured in AD to place users in so they have access to portal resources. The way I am doing that is working fine; my custom AD module gets the roles the user belongs to on login and they are used to protect/grant access to the appropriate resources in the portal. The problem is the hard coded role in the role portlet?
If you could elaborate that would be great. I will however look in to JAAS and its use in portlets :)
Julien or Roy, do you mind if I open a JIRA to make the administrator role for the Role Management portlet a read-only preference? It would default to "Admin" but could be easily changed by modifying the appropriate portal.xml file.
Never mind regarding the JIRA, didn't see Thomas' reply before I sent my post.
Had a think about this; are you talking about using security-role-ref's?
So, use something like:
<security-role-ref> <role-name>MyLDAPRoleToCheck</role-name> <role-link>Admin</role-link> </security-role-ref>
If so, where would that go? In the web.xml in jboss-portal.sar\portal-server.war\WEB-INF? Against which servlet?