Randy, thanks a lot for your help! I was able to setup a basic access control to my portlet's view and Edit mode. I do have more questions on the user management in J2, though :)
I've created a new user, dce-admin, using the "Administrative Portlets" as 'admin' user. This worked fine, and I was able to detect this user through the PortletResponse.getUserPrincipal(). I've also tried to create a new role, say dce-admin-role, and assign this role to the new user. This , unfortunately, did not work. I entered the new role name into the corresponding form ("Add Role") of the "Role Management" tab, but it was never added to the list of the available roles and when I tried to assign this role to the new user I've got an error from J2 complaining that this role does not exist: ******* New Full Path: /role/dce-admin-role failed to add user to role: dce-admin, dce-admin-roleorg.apache.jetspeed.security.SecurityException: The role does not exist. dce-admin-role ******* New Full Path: /role/dce-admin-role Any idea why this is not working? Thanks, Marina --- Randy Watler <[EMAIL PROTECTED]> wrote: > Marina, > > Thanks for using the jetspeed user list! > > Comments below. > > Randy > > >-----Original Message----- > >From: Marina > >To: 'Jetspeed Users List ' > >Sent: 12/6/04 5:06 PM > >Subject: RE: Jetspeed2 M1 security setup (was: > jetspeed-newbie > Roles-Groups-Users)> > > > >Hi, > > > > I've successfully built and installed J2 M1 and > was > >looking into the demo applications to figure out > how > >to setup access control for portlets/pages. > >After checking out some example portlets , like > >RoleSecurityTest and Login, and their source code, > I > >think I have some idea of how to approach the task > but > >I would like to clarify some topics. > > > >First, I'll list my assumptions and then ask > >questions: > > > >1. > >tomcat-5.0.30-j2-M1\webapps\jetspeed\WEB-INF\pages\page.security > > file specifies 'Edit'/'View' permissions for the > >default Portal's page, defined in default-page.psml > > The /page.security file defines named security > constraints that can be > referenced here or in individual page, folder meta > data, link, or document > set documents. The scope of this file is global > across the entire site. > References take the form of > <global-security-constraints-ref/>, (which > appear only in /page.security), or > <security-constraints-ref/>. > > >Thus, this part : > > <security-constraints-def name="admin"> > > <security-constraint> > > <roles>admin</roles> > > <permissions>view, edit</permissions> > > </security-constraint> > > </security-constraints-def> > >means that only a user with the role 'admin' can > edit > >the layout of the page. > > Yes, since this fragment is referenced in a > <global-security-constraints-ref/>, it applies to > all documents in the site. > > >And this fragment: > > <security-constraints-def name="manager"> > > <security-constraint> > > <roles>manager</roles> > > <permissions>view</permissions> > > </security-constraint> > > </security-constraints-def> > >means that a user with the role 'manager' can view > the > >page. > > Yes, where used with a <security-constraints-ref/>. > > >However, anybody can view this default page in > reality > >- even before a user logs in. You don't need any > >special privileges to access > >http://localhost:8080/jetspeed to see the page. > >My assumption is that it is because security > >constraints are "overwritten" in the > >pages/folder.metadata file (see below). > >Is that true? > > Not exactly. The override is in the > default-page.psml itself, (user=*, > permission=view). > > >What is the scope of the page.security definitions > and > >where are they used? > > See above. > > >2. each folder under /pages directory (including > >/pages itself) has a folder.metadata file where > more > ><security-constraints> are defined for that folder. > >For example, here is pages/folder.metadata: > >..... > > <security-constraints> > > <security-constraint> > > <roles>user</roles> > > <permissions>view</permissions> > > </security-constraint> > > > ><security-constraints-ref>manager</security-constraints-ref> > > </security-constraints> > > This should be commented out in M1. > > > > > <security-constraints> > > <security-constraint> > > <users>*</users> > > <permissions>view</permissions> > > </security-constraint> > > </security-constraints> > ></folder> > >And this is why all users can see the default page. > >(Is that true?) > > It would be the case if default-page.psml did not > override on its own. To be > exact, this allows all users to view the folder and > any content within it > that does not specify its own security constraints. > In effect, this is the > site default for global pages because it is defined > at the root leve. > > >On the other hand, here is > >pages\Administrative\folder.metadata : > ><folder> > > <title>Jetspeed Administrative Portlets</title> > > <!-- allow only manager role --> > > <security-constraints> > ><security-constraints-ref>manager</security-constraints-ref> > > </security-constraints> > ></folder> > > > >This folder corresponds to the "Jetspeed > >Administrative Portlets" menu item in the 'Folder > and > >Pages' menu on the left side of the Portal window. > >However, it is displayed only when a user with the > >'manager' role logged in. > > Correct. It also requires that its contents only be > visible in the manager > role as well. > > >3. There also are security-constraints in the .psml > >files themselves. For example, > pages/default-page.psml > >has: > > <security-constraints> > > <security-constraint> > > <users>*</users> > > <permissions>view</permissions> > > </security-constraint> > > </security-constraints> > > Yes, and it is this that enables any user to view > the default page, no > matter what the folder that the page belongs to is > permitted. > > >4. Also, there are <security-ref> defined in the > >portlet.xml files of individual portlets. For > example: > > <portlet id="RoleSecurityTest"> > >..... > > <security-role-ref> > > <role-name>Administrator</role-name> > > <role-link>admin</role-link> > > </security-role-ref> > > <security-role-ref> > > <role-name>Manager</role-name> > > <role-link>manager</role-link> > > </security-role-ref> > > <security-role-ref> > > <role-name>User</role-name> > > <role-link>user</role-link> > > </security-role-ref> > > </portlet> > > > >and corresponding <security-roles> are defined in > the > >web.xml file of the portlet application: > ><web-app> > >.... > > <security-role> > > <description>The admin role</description> > > <role-name>admin</role-name> > > </security-role> > > <security-role> > > <description>The manager role</description> > === message truncated === __________________________________ Do you Yahoo!? Read only the mail you want - Yahoo! Mail SpamGuard. http://promotions.yahoo.com/new_mail --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]