Randy, thanks a lot for your help! I was able to setup
a basic access control to my portlet's view and Edit
mode.
I do have more questions on the user management in J2,
though :)
I've created a new user, dce-admin, using the
"Administrative Portlets" as 'admin' user. This worked
fine, and I was able to detect this user through the
PortletResponse.getUserPrincipal().
I've also tried to create a new role, say
dce-admin-role, and assign this role to the new user.
This , unfortunately, did not work. I entered the new
role name into the corresponding form ("Add Role") of
the "Role Management" tab, but it was never added to
the list of the available roles and when I tried to
assign this role to the new user I've got an error
from J2 complaining that this role does not exist:
******* New Full Path: /role/dce-admin-role
failed to add user to role: dce-admin,
dce-admin-roleorg.apache.jetspeed.security.SecurityException:
The role does not exist. dce-admin-role
******* New Full Path: /role/dce-admin-role
Any idea why this is not working?
Thanks,
Marina
--- Randy Watler <[EMAIL PROTECTED]> wrote:
> Marina,
>
> Thanks for using the jetspeed user list!
>
> Comments below.
>
> Randy
>
> >-----Original Message-----
> >From: Marina
> >To: 'Jetspeed Users List '
> >Sent: 12/6/04 5:06 PM
> >Subject: RE: Jetspeed2 M1 security setup (was:
> jetspeed-newbie
> Roles-Groups-Users)>
> >
> >Hi,
> >
> > I've successfully built and installed J2 M1 and
> was
> >looking into the demo applications to figure out
> how
> >to setup access control for portlets/pages.
> >After checking out some example portlets , like
> >RoleSecurityTest and Login, and their source code,
> I
> >think I have some idea of how to approach the task
> but
> >I would like to clarify some topics.
> >
> >First, I'll list my assumptions and then ask
> >questions:
> >
> >1.
>
>tomcat-5.0.30-j2-M1\webapps\jetspeed\WEB-INF\pages\page.security
> > file specifies 'Edit'/'View' permissions for the
> >default Portal's page, defined in default-page.psml
>
> The /page.security file defines named security
> constraints that can be
> referenced here or in individual page, folder meta
> data, link, or document
> set documents. The scope of this file is global
> across the entire site.
> References take the form of
> <global-security-constraints-ref/>, (which
> appear only in /page.security), or
> <security-constraints-ref/>.
>
> >Thus, this part :
> > <security-constraints-def name="admin">
> > <security-constraint>
> > <roles>admin</roles>
> > <permissions>view, edit</permissions>
> > </security-constraint>
> > </security-constraints-def>
> >means that only a user with the role 'admin' can
> edit
> >the layout of the page.
>
> Yes, since this fragment is referenced in a
> <global-security-constraints-ref/>, it applies to
> all documents in the site.
>
> >And this fragment:
> > <security-constraints-def name="manager">
> > <security-constraint>
> > <roles>manager</roles>
> > <permissions>view</permissions>
> > </security-constraint>
> > </security-constraints-def>
> >means that a user with the role 'manager' can view
> the
> >page.
>
> Yes, where used with a <security-constraints-ref/>.
>
> >However, anybody can view this default page in
> reality
> >- even before a user logs in. You don't need any
> >special privileges to access
> >http://localhost:8080/jetspeed to see the page.
> >My assumption is that it is because security
> >constraints are "overwritten" in the
> >pages/folder.metadata file (see below).
> >Is that true?
>
> Not exactly. The override is in the
> default-page.psml itself, (user=*,
> permission=view).
>
> >What is the scope of the page.security definitions
> and
> >where are they used?
>
> See above.
>
> >2. each folder under /pages directory (including
> >/pages itself) has a folder.metadata file where
> more
> ><security-constraints> are defined for that folder.
> >For example, here is pages/folder.metadata:
> >.....
> > <security-constraints>
> > <security-constraint>
> > <roles>user</roles>
> > <permissions>view</permissions>
> > </security-constraint>
> >
>
><security-constraints-ref>manager</security-constraints-ref>
> > </security-constraints>
>
> This should be commented out in M1.
>
> >
> > <security-constraints>
> > <security-constraint>
> > <users>*</users>
> > <permissions>view</permissions>
> > </security-constraint>
> > </security-constraints>
> ></folder>
> >And this is why all users can see the default page.
> >(Is that true?)
>
> It would be the case if default-page.psml did not
> override on its own. To be
> exact, this allows all users to view the folder and
> any content within it
> that does not specify its own security constraints.
> In effect, this is the
> site default for global pages because it is defined
> at the root leve.
>
> >On the other hand, here is
> >pages\Administrative\folder.metadata :
> ><folder>
> > <title>Jetspeed Administrative Portlets</title>
> > <!-- allow only manager role -->
> > <security-constraints>
>
><security-constraints-ref>manager</security-constraints-ref>
> > </security-constraints>
> ></folder>
> >
> >This folder corresponds to the "Jetspeed
> >Administrative Portlets" menu item in the 'Folder
> and
> >Pages' menu on the left side of the Portal window.
> >However, it is displayed only when a user with the
> >'manager' role logged in.
>
> Correct. It also requires that its contents only be
> visible in the manager
> role as well.
>
> >3. There also are security-constraints in the .psml
> >files themselves. For example,
> pages/default-page.psml
> >has:
> > <security-constraints>
> > <security-constraint>
> > <users>*</users>
> > <permissions>view</permissions>
> > </security-constraint>
> > </security-constraints>
>
> Yes, and it is this that enables any user to view
> the default page, no
> matter what the folder that the page belongs to is
> permitted.
>
> >4. Also, there are <security-ref> defined in the
> >portlet.xml files of individual portlets. For
> example:
> > <portlet id="RoleSecurityTest">
> >.....
> > <security-role-ref>
> > <role-name>Administrator</role-name>
> > <role-link>admin</role-link>
> > </security-role-ref>
> > <security-role-ref>
> > <role-name>Manager</role-name>
> > <role-link>manager</role-link>
> > </security-role-ref>
> > <security-role-ref>
> > <role-name>User</role-name>
> > <role-link>user</role-link>
> > </security-role-ref>
> > </portlet>
> >
> >and corresponding <security-roles> are defined in
> the
> >web.xml file of the portlet application:
> ><web-app>
> >....
> > <security-role>
> > <description>The admin role</description>
> > <role-name>admin</role-name>
> > </security-role>
> > <security-role>
> > <description>The manager role</description>
>
=== message truncated ===
__________________________________
Do you Yahoo!?
Read only the mail you want - Yahoo! Mail SpamGuard.
http://promotions.yahoo.com/new_mail
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
