1 2 Previous Next 17 Replies Latest reply on Aug 10, 2007 1:51 AM by roth

    Giving Admin Priviledges to another Role

    roth Newbie

      Hi

      I am trying something supposedly simple. I want to give Admin priviledges to the 'User' role, in preparation for a later switch to ldap. I am using JBoss 4.2.1 on Windows XP with the portal svn trunk.

      What I did so far:

      For the admin portal in In jboss-portal.sar\conf\data\default-object.xml, add

       <security-constraint>
       <policy-permission>
       <action-name>viewrecursive</action-name>
       <role-name>User</role-name>
       </policy-permission>
       </security-constraint>
      

      After I cleaned out the portal database, this had the effect that the little admin link appears when logged in as 'User' (who belongs to the 'User' group).

      So far, so good. Now I would like to give access to the User and Role portlets.

      In jboss-portal.sar\portal-core.war\WEB-INF\portlet-instances.xml, I added

       <security-constraint>
       <policy-permission>
       <role-name>User</role-name>
       <action-name>view</action-name>
       </policy-permission>
       </security-constraint>
      

      twice, once for the USerPortletInstance, and once for the RolePortletInstance. I cleared out the database again, but this had no effect. Both the 'Role Management' and 'User Portlet' windows appear, but without any content.

      I don't find anything suspicious in the logfile. What am I missing?

      Thanks

        • 1. Re: Giving Admin Priviledges to another Role
          Thomas Heute Master

          If you want them to be admin why don't you add them the admin role ?

          The roles are checked in the portlet following the spec (isUserInRole("admin").

          • 2. Re: Giving Admin Priviledges to another Role
            Thomas Heute Master

            But you can map this role to any of your business role (see the spec and Java security in general)

            • 3. Re: Giving Admin Priviledges to another Role
              roth Newbie

              Hi Thomas

              "thomas.heute@jboss.com" wrote:
              If you want them to be admin why don't you add them the admin role ?


              Because I later want to integrate the portal with my existing ldap. Instead of adding a new role for every system I attach to my ldap ('admin' for the portal, 'root' for system x, 'administrator' for system y), I want to use already existing roles.

              "thomas.heute@jboss.com" wrote:
              But you can map this role to any of your business role (see the spec and Java security in general)


              That was what I was trying to do. Do the examples I posted look sensible? Or did I approach this in all wrongly? The above is what looks right to me, but I don't know much about java security. I did read the reference guide about that topic though, that's how I came up with the above.

              Thanks

              • 4. Re: Giving Admin Priviledges to another Role
                Thomas Heute Master

                You should read:
                PLT.20.3 Programmatic Security

                Of the portlet spec.

                You will have to adapt portal-core.war/WEB-INF/portlet.xml to reference your roles

                • 5. Re: Giving Admin Priviledges to another Role
                  roth Newbie

                  Thanks! That was exacty the piece of information I was missing.

                  I'll write a wiki article in the next few days about this as well as my efforts concerning portal integration in MS Active Directory.

                  • 6. Re: Giving Admin Priviledges to another Role
                    Thomas Heute Master

                    That would be a great value-added, thanks !

                    • 7. Re: Giving Admin Priviledges to another Role
                      Thad West Newbie

                      How's that wiki article coming? :-)

                      I have to integrate with AD and was looking forward to your post....

                      Thanks!

                      • 8. Re: Giving Admin Priviledges to another Role
                        roth Newbie

                        Right... I was a bit distracted by other work.

                        Anyway, you'll have the article until Friday night. I'll post a link here once I'm done.

                        Cheers

                        • 10. Re: Giving Admin Priviledges to another Role
                          Thomas Heute Master

                          Thanks a lot ! I know lot of people will enjoy this :)

                          • 12. Re: Giving Admin Priviledges to another Role
                            Thad West Newbie

                            Okay, so I tried the AD set-up and had a little kablammo:

                            15:12:56,575 ERROR [IdentityLoginModule] Error when validating password
                            org.jboss.portal.common.transaction.NestedException: javax.security.auth.login.LoginException: org.jboss.portal.identity.IdentityException: Couldn't create LDAPUserImpl object from ldap entry (SearchResult)
                             at org.jboss.portal.common.transaction.Transactions.apply(Transactions.java:253)
                             at org.jboss.portal.common.transaction.Transactions.required(Transactions.java:289)
                             at org.jboss.portal.identity.auth.IdentityLoginModule.getUserStatus(IdentityLoginModule.java:204)
                             at org.jboss.portal.identity.auth.IdentityLoginModule.validatePassword(IdentityLoginModule.java:158)
                             at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:210)
                             at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                             at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
                             at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
                             at java.lang.reflect.Method.invoke(Unknown Source)
                             at javax.security.auth.login.LoginContext.invoke(Unknown Source)
                             at javax.security.auth.login.LoginContext.access$000(Unknown Source)
                             at javax.security.auth.login.LoginContext$4.run(Unknown Source)
                             at java.security.AccessController.doPrivileged(Native Method)
                             at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
                             at javax.security.auth.login.LoginContext.login(Unknown Source)
                             at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603)
                             at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537)
                             at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
                             at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:491)
                             at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:258)
                             at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:417)
                             at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
                             at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
                             at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
                             at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
                             at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
                             at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:241)
                             at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
                             at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:580)
                             at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
                             at java.lang.Thread.run(Unknown Source)
                            Caused by: javax.security.auth.login.LoginException: org.jboss.portal.identity.IdentityException: Couldn't create LDAPUserImpl object from ldap entry (SearchResult)
                             at org.jboss.portal.identity.auth.IdentityLoginModule$1.run(IdentityLoginModule.java:260)
                             at org.jboss.portal.common.transaction.Transactions.apply(Transactions.java:219)
                             ... 30 more
                            


                            Any clues? Do you need more information? My config was almost identical to the referenced wiki article.

                            Thanks,
                            Thad

                            • 13. Re: Giving Admin Priviledges to another Role
                              roth Newbie

                              Dunno, maybe I forgot some step to install ldap-specific libraries in the wiki article. I'll check.

                              • 14. Re: Giving Admin Priviledges to another Role
                                roth Newbie

                                I walked through the wiki article again step by step, and it worked for me, using jboss-4.2.1-GA and JBoss_Portal_2_6_1. Are you sure you didn't miss anything?

                                1 2 Previous Next