3 Replies Latest reply on Sep 9, 2011 11:19 AM by donino doninos

    How to link Gatein security roles to portlet roles

    donino doninos Newbie

      Hi,

       

      Could anyone explain how to link Gatein security roles to portlet roles. I use gatein3.2 with tomcat 6 & 7, on windows.

       

      My portlet application uses following roles: [administrator, manager, poweruser, standard]. Conformly portlet specifications in portlet.xml i linked these roles with default gatein roles [manager, validator, member]:

       

          <security-role-ref>  <role-name>administrator</role-name> <role-link>manager</role-link> </security-role-ref>

          <security-role-ref>  <role-name>manager</role-name> <role-link>validator</role-link> </security-role-ref>

          <security-role-ref>  <role-name>poweruser</role-name> <role-link>member</role-link> </security-role-ref>       

          <security-role-ref>  <role-name>standard</role-name> <role-link>member</role-link> </security-role-ref>  

       

      In Gatein Portlet Administration page,  i set [manager, validator, member] roles for root group "/platform/administrators" on my portlet.

       

      In portlet JSP pages, when connected as root,         renderRequest.isUserInRole("administrator")           returns false

                                                                                  renderRequest.isUserInRole("manager")                 returns false

       

      These steps work with Jahia and Liferay (with liferay-portlet.xml), did i miss something  for Gatein? May be a specific configuration file or something to add in web.xml?  Any help will be much appreciated!

       

      thanks

        • 1. Re: How to link Gatein security roles to portlet roles
          donino doninos Newbie

          So nobody knows how we can link Gatein security roles to portlet roles? I wouldnt like to open a new jira issue if i just stupidly missed a specific configuration file :/

          I ask a last time before JIRA

           

          In more simple steps:

           

          0/ declare a role in web.xml:     <security-role>  <description>Managers description</description>  <role-name>manager</role-name> </security-role>

           

          1/ declare a role in portlet xml:  <security-role-ref>  <role-name>manager</role-name> <role-link>manager</role-link> </security-role-ref>

           

          2/ In Gatein Portlet Administration UI: set [manager] role on your portlet for root group "/platform/administrators"

           

          3/ In any portlet JSP page, logged as root:      renderRequest.isUserInRole("manager")         returns false whereas it should return true

          • 2. Re: How to link Gatein security roles to portlet roles
            Marek Posolda Apprentice

            Hi,

             

            It seems there is little confusion. "member", "manager" and "validator" are membership types, when "/platform/administrators" and "/platform/users" are groups. Groups, membership type and user together creates membership. So membership means "user john is manager of group /platform/administrators".

             

            Portlet roles and web j2ee roles are taken from groups, not from membership types. There is special component called RolesExtractor, which is used for this mapping. In your case, users from "/platform/administrators" are mapped to role "administrators" not to role "manager".

             

            More info about RolesExtractor and GateIn identity is here http://community.jboss.org/wiki/GateInIdentityAndSecurityFAQ especially Q3. Other useful informations are in GateIn reference guide.

             

            Hope this helps,

            Marek

            1 of 1 people found this helpful
            • 3. Re: How to link Gatein security roles to portlet roles
              donino doninos Newbie

              Marek,

               

              thank you very much for your answer.

              I replaced in portlet.xml my previous code with:

               

                  <security-role-ref>  <role-name>administrator</role-name> <role-link>administrators</role-link> </security-role-ref>

                  <security-role-ref>  <role-name>standard</role-name> <role-link>users</role-link> </security-role-ref>

               

              and indeed it works, administrator and standard role are now recognized in my portlet application! I created also a new /platform/powerusers group, and then portlet power users are recognized too. I believed portlet roles were mapped with memberships, not with groups.

               

              thanks a lot