5 Replies Latest reply on Aug 31, 2007 9:17 AM by Thomas Heute

    Declarative Security and Portlets

    karin k Newbie

      Hi,

      I just would like to discuss an issue about the portlet specification and security.
      Reading the portlet spec again and again there is one issue that I do not really understand:

      The chapter "PLT.20.2 Roles" states:

      The Portlet Specification shares the same definition as roles of the Servlet Specification
      2.3, SRV.12.4 Section.


      Reading the servlet spec it states:
      A servlet container enforces declarative or programmatic security for the principal associated with an incoming request based on the security attributes of the principal.



      So what is meant by this:
      Should the portlet container secure access to a portlet by means of declarative security.
      How can this be done? Is this a configuration in the web.xml file.
      The portlet spec also stated "PLT.3 Relationship with the Servlet Specification"
      Portlets are not directly bound to a URL


      So how can there be a security-constraint in the web.xml without defined url.
      Reading JBoss doc I got the impression that securing a portlet is
      a portlet container related task (and is be done in the admin portlet,
      or in jboss portal proprietary deployment descriptor).

      Than I come to a next point. When accessing a portlet from remote via
      WSRP how can than the portlet be secured. Currently I do not see a declarative mean.

      If no declarative security can be used, is it really meant, that a portlet developer should always use programmatic security (isUserInRole)

      Regards Karin



        • 1. Re: Declarative Security and Portlets
          Viet Master

          Hi,

          first portlets are not bound to URLs so they cannot be secured via web.xml. The only thing done in relation with the servlet world is that the user authenticated against the portal servlet and when he access a portlet (in the local case) the request user principal and the roles are propagated to the portlet, so you can apply programmatic security in your portlet. Then the spec does not define anything else than that.

          In JBoss Portal portlets are secured via the concept of portlet instance. The main reason is that it gives more flexibility than securing a portlet, since securing a portlet is done at deployment time and an instance has a life cycle which is more dynamic.

          In the WSRP world, how security is done is unclear. I think that the ideal scenario is to have security propagation between the consumer and the producer using either a WS spec or the HTTP transport authentication (we have a JIRA task for that but not scoped at 2.6)

          In future releases we'll add security per consumer registration. So you will be able to expose a set of portlets to a particular consumer. Due to the non triviallity of this task we will make it for 3.0 probably. Actually we will need to visit the different use cases for security in the producer part.

          Beside that JBoss Portal has a flexible architecture so it is possible to add a portlet container interceptor to apply security before a portlet is reached.

          • 2. Re: Declarative Security and Portlets
            karin k Newbie

            Hi Julien,
            just to summarize your answer and to verify if I understood you correctly

            1) There is no role-based declarative security for portlets defined by portlet spec.

            2) For local portlets in JBoss Portal it is solved by securing portlet instances.

            3) For WSRP, JBoss Portal has no solution currently. Neither propagation
            of a User id, nor role based access control is solved. If we need something
            there, we should implement it ourselves.

            Regards
            Karin

            • 3. Re: Declarative Security and Portlets
              Magesh Bojan Master

              Please find my answers inline:

              >>>1) There is no role-based declarative security for portlets defined by portlet spec.

              Yes

              >>>2) For local portlets in JBoss Portal it is solved by securing portlet instances.

              Yes

              >>>3) For WSRP, JBoss Portal has no solution currently. Neither propagation of a User id, nor role based access control is solved. If we need something there, we should implement it ourselves.

              Yes

              • 4. Re: Declarative Security and Portlets
                srinivas prabhu Newbie

                Hi mageshbk,

                can you restate above 3 points with respect to jboss portal 2.6.1.

                have things changed ? Especially role-based declarative security for portlets ?

                thanks

                • 5. Re: Declarative Security and Portlets
                  Thomas Heute Master

                  The question was about declarative security *from the spec*, the spec hasn't change.

                  Declarative security for portlet instance, and portal objects exist since the beginning in JBoss Portal.