Hi, I just would like to discuss an issue about the portlet specification and security. Reading the portlet spec again and again there is one issue that I do not really understand:
The chapter "PLT.20.2 Roles" states: anonymous wrote : The Portlet Specification shares the same definition as roles of the Servlet Specification | 2.3, SRV.12.4 Section. Reading the servlet spec it states: anonymous wrote : A servlet container enforces declarative or programmatic security for the principal associated with an incoming request based on the security attributes of the principal. So what is meant by this: Should the portlet container secure access to a portlet by means of declarative security. How can this be done? Is this a configuration in the web.xml file. The portlet spec also stated "PLT.3 Relationship with the Servlet Specification" anonymous wrote : Portlets are not directly bound to a URL So how can there be a security-constraint in the web.xml without defined url. Reading JBoss doc I got the impression that securing a portlet is a portlet container related task (and is be done in the admin portlet, or in jboss portal proprietary deployment descriptor). Than I come to a next point. When accessing a portlet from remote via WSRP how can than the portlet be secured. Currently I do not see a declarative mean. If no declarative security can be used, is it really meant, that a portlet developer should always use programmatic security (isUserInRole) Regards Karin View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4020559#4020559 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4020559 _______________________________________________ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user