0 Replies Latest reply on Sep 1, 2007 10:37 PM by Dmitry Dzifuta

    Authorization and authentication in Jboss Portal

    Dmitry Dzifuta Newbie

      Hello everybody!

      I am rather new to JBoss Portal but I've met my first problem that I can't solve for a long time... On the forum authorization/authentication theme is one of the most popular and I've got common goal also.
      In couples of words I want to do following:
      1) Authenticate user and find possibility to get authenticated user id in each portlet.
      2) Define bindings of roles and permissions for each portlet. (AFAIK this can be done easily)
      3) Resolve permissions for current user in each portlet .
      4) Do not render portlet for the defined permissions.

      Here are my questions according to the goals:
      1) First of all, why there are no examples where login functionality is located in the separate portlet? Are there any limitations for implemention such functionality? Can I use JAAS for this goal?
      2) Is there possibility to manage this via admin interface?
      3,4) Are there any technics or recommendation for manager that will automatically resolve permissions for logged in user? How this information can be read from portlet?

      If you know smth that can help me and this is already have been written somewhere then I'll appreciate any links and documents. I think this theme is interesting and usefull and I want to solve this problem and to create good wiki document for the future usage.

      What have I read:
      I have read reference guide and I have found that JBoss has identity modules implementation. But I haven't found out how can I implement this modules for working with my business objects. Is it possible?
      Also, I have read wiki where I found such a information (may be can be usefull for smb)
      1) Here is how logged in user can be determined. http://wiki.jboss.org/wiki/Wiki.jsp?page=DeterminePortalLoggedInUser
      2) Here is described how to force login or in other words "How to remove any non-authorized portal usage http://wiki.jboss.org/wiki/Wiki.jsp?page=ForceLoginPage (instructions for Jboss Portal Server 2.0, they can be not usefull now)
      3) Here is rather big document called LoginPortlet. http://wiki.jboss.org/wiki/Wiki.jsp?page=PortletLogin For a pity I could't find any information about PORTLET there. Only jsp/servelt.
      4) Here you can find how to secure resources via url-pattern in Jboss AS. http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureAWebApplicationUsingACustomForm
      5) By the way here is small example how to configure JAAS login module on the "server" side. http://labs.jboss.com/wiki/JAASSetup
      6) Here is something conceptual - authorization manager diagram and permission matrix. http://wiki.jboss.org/wiki/Wiki.jsp?page=PortalSecurity This was created for 2.2 version so I don't know the state of this functionality.
      7) One more interesting thing - Acegi portlet support. http://wiki.jboss.org/wiki/Wiki.jsp?page=AcegiPortletSupport. Sounds very encouranging but I had only quick look on this extension.
      8) Jboss Portal Identity API documentation. http://wiki.jboss.org/wiki/Wiki.jsp?page=Identity_API_in_JBoss_Portal_2_6

      Thank you for any help!!!