7 Replies Latest reply on Mar 18, 2008 11:31 AM by peterj

How to make a portlet secured

pshaktig Mar 18, 2008 6:25 AM

Hi all,

I have deployed HelloWorldPortlet (avaialble at portletSwap.com) on JBoss Portal 2.6. Now I need to make this portlet secured so that only users from the roles defined in portlet-instance.xml can access this portlet. I have made proper entries for security-constraints in portlet-instances.xml but to no avail. Any user can access the portlet. The entry I made look like this:

<instance-id>AJAXSearchViewerPortletInstance</instance-id>
<portlet-ref>AJAXSearchViewerPortlet</portlet-ref>
<security-constraint>
<policy-permission>
<role-name>Admin</role-name>
<action-name>admin</action-name>
</policy-permission>
</security-constraint>

Question:
1. Just making an entry in portlet-instance.xml would do?
2. Or I need to do this programmatically? if so please provide references.

Thanks,
Shakti

1. Re: How to make a portlet secured

matthieu.bouvais Mar 18, 2008 6:55 AM (in response to pshaktig)

Hi pshaktig,
If you want to restrict the access to a portlet to the Admin role, you have to modify your portlet-instances.xml and change the action-name to "view". This will hide the portlet to all user who don't have the Admin role. You don't have to make it programmatically.
Actions
2. Re: How to make a portlet secured

pshaktig Mar 18, 2008 7:07 AM (in response to pshaktig)

Hi Matthieu,

I did the same. But its not working. In portlet-insatances.xml made the entry you suggested.

Do I need to disable viewrecursive action for the default portal?

Thanks,
Shakti
Actions
3. Re: How to make a portlet secured

den74 Mar 18, 2008 7:10 AM (in response to pshaktig)

hi i got the same, it depends on the father permission.

by default "vierecursive" is enabled to everyone, i had to change in view for any role and then i had the behaviour like you want
Actions
4. Re: How to make a portlet secured

matthieu.bouvais Mar 18, 2008 7:21 AM (in response to pshaktig)
You don't need to remove the "viewRecursive" action for the default portal. You can add this attribute into the portlet-instances.xml :
... <deployment> <if-exists>overwrite</if-exists> <instance> ... </instance> </deployment> ....
Actions
5. Re: How to make a portlet secured

pshaktig Mar 18, 2008 8:14 AM (in response to pshaktig)

Hi Matthieu,

Thanks for your solution. My portlet got secured. This is what I did in my portlet-instances.xml:

<if-exists>overwrite</if-exists>

<instance-id>AJAXSearchViewerPortletInstance</instance-id>
<portlet-ref>AJAXSearchViewerPortlet</portlet-ref>
<security-constraint>
<policy-permission>
<role-name>Admin</role-name>
<action-name>view</action-name>
</policy-permission>
</security-constraint>

What if I want to make the page secured? What entries do I need to make?

Thanks,
Shakti
Actions
6. Re: How to make a portlet secured

pshaktig Mar 18, 2008 10:26 AM (in response to pshaktig)

Hi,

When I put security constraints in *-object.xml in admin portlet I can see tha page has view permissions for Admin role. However when I open the page it is accessible to everyone. Evene <if exists>overwrite<...> not working

Please provide some pointers.
Thanks,
Shakti
Actions
7. Re: How to make a portlet secured

peterj Mar 18, 2008 11:31 AM (in response to pshaktig)

See the discussions at http://www.jboss.com/index.html?module=bb&op=viewtopic&t=98753

and http://www.jboss.com/index.html?module=bb&op=viewtopic&t=115712
Actions

Go to original post