4 Replies Latest reply on Mar 18, 2008 9:31 AM by joe_the_quick

    security-constraints not working at the page level (*-object

    joe_the_quick Newbie

      hi there,

      If I add the Authenticated-role to a page (using Jboss Portal 2.6.2 GA), it seems to simply get ignored:

      test-object.xml:
      <?xml version="1.0" encoding="UTF-8"?>


      <if-exists>overwrite</if-exists>
      <parent-ref>default</parent-ref>


      <page-name>HelloWorld</page-name>


      <window-name>HelloWorldPortletWindow</window-name>
      <instance-ref>HelloWorldPortletInstance</instance-ref>
      center
      0

      <security-constraint>
      <policy-permission>
      <role-name>Authenticated</role-name>
      <action-name>view</action-name>
      </policy-permission>
      </security-constraint>





      The role is added to portlet.xml and can be verified using request.isUserInRole("Authenticated").
      If I add the same role to the portlet-instances.xml, then it works immediately:

      <?xml version="1.0" encoding="utf-8" standalone="yes"?>
      <!DOCTYPE deployments PUBLIC
      "-//JBoss Portal//DTD Portlet Instances 2.6//EN"
      "http://www.jboss.org/portal/dtd/portlet-instances_2_6.dtd">



      <if-exists>overwrite</if-exists>

      <instance-id>HelloWorldPortletInstance</instance-id>
      <portlet-ref>HelloWorldPortlet</portlet-ref>
      <security-constraint>
      <policy-permission>
      <role-name>Authenticated</role-name>
      <action-name>view</action-name>
      </policy-permission>
      </security-constraint>





      Environment info:
      Jboss 4.0.5 GA
      Jboss Portal 2.6.2 GA
      JDK 1.5

      Could it be that the page-level security is no longer working with Jboss Portal 2.6.2 GA?

      I read in an earlier post, that the unchecked access using "read recursive" has to be disabled from the default-portal, but I believe that the role security should be way stronger than any default configuration.