Re: [J2] Security - Specifying the policies

Randy Watler Thu, 25 Aug 2005 17:12:11 -0700

Prashanth,

The portal does not enforce portlet level security, (neither permissionsnor constraints). We have discussed this and have opted to stay thecourse for now since we are not sure how to implement this functionalityand how it should interoperate with the portlet API. As you know, thereare standard portlet API mechanisms that enable the portlet to performsecurity checks and handle access errors in their own way.

Of course, feedback is welcome. If you feel that this functionality isrequired at the portal level, feel free to create a JIRA issue thatdescribes how you feel the portal should interpret access violations forview and edit actions. This has come up before... so I for one willconsider your proposal.


Randy

Prashanth Gujjeti wrote:

Randy/David and others,
 I enabled Permissions security model (along with constraints security)
and added an entry for PortletPermission with 'view' access on a portlet
- ClientStruts - in the SECURITY_PERMISSION table. I assigned this

permission to the principal "user" in PRINCIPAL_PERMISSION.

+---------------+------------------------------------------------+------
----------------------------+------------+---------------------+--------
-------------+
| PERMISSION_ID | CLASSNAME                                      | NAME
| ACTIONS    | CREATION_DATE       | MODIFIED_DATE       |
+---------------+------------------------------------------------+------
----------------------------+------------+---------------------+--------
-------------+
|            16 | org.apache.jetspeed.security.PortletPermission |
ClientStruts                     | view       | 2005-08-25 23:16:20 |
2005-08-25 21:20:29 |
+---------------+------------------------------------------------+------
----------------------------+------------+---------------------+--------
-------------+

The user "user" has a PSML page which contains this portlet

       <fragment id="dp-9-clientstruts" type="portlet"
name="client::ClientStruts">
           <property name="row" value="0" layout="TwoColumns"/>
           <property name="column" value="1" layout="TwoColumns"/>
       </fragment>

And the portlet itself has view, help, and edit modes (in portlet.xml)

   <supports>
     <mime-type>text/html</mime-type>
     <portlet-mode>VIEW</portlet-mode>
     <portlet-mode>HELP</portlet-mode>
     <portlet-mode>EDIT</portlet-mode>
   </supports>

Yet, when the user "user" logs in, the "Edit" button is still enabled. I
tried various combinations, including disabling the Constraints security
model, but with no positive result. I tried Folder/page level security
based on the Permissions Security model, and that seems to be working.
Any ideas?

Thanks,
Prashanth



-----Original Message-----

From: Randy Watler [mailto:[EMAIL PROTECTED]Sent: Thursday, August 25, 2005 12:54 PM

To: Jetspeed Users List
Subject: Re: [J2] Security - Specifying the policies

Prashanth,

There are two security models available... see this in page-manager.xml:

<bean id="org.apache.jetspeed.page.PageManager"
name="pageManager"
class="org.apache.jetspeed.page.impl.CastorXmlPageManager">
<constructor-arg index="0"><ref bean="IdGenerator"/></constructor-arg>
<constructor-arg index="1"><ref
bean="DocumentHandlerFactory"/></constructor-arg>
<constructor-arg index="2"><ref bean="FolderHandler"/></constructor-arg>
<constructor-arg index="3"><ref bean="PageFileCache"/></constructor-arg>
<!-- permissions security enabled flag, default=false -->
<constructor-arg index="4"><value>false</value></constructor-arg>
<!-- constraints security enabled flag, default=true -->
<constructor-arg index="5"><value>true</value></constructor-arg>
</bean>

You will want to disable the constraints, (PSML), and enable the
permissions, (java.security/FilePermission). Then, look here in
populate-userinfo-for-default-psml.sql:

INSERT INTO SECURITY_PERMISSION

VALUES(1,'org.apache.jetspeed.security.FolderPermission','<<ALLFILES>>','view, edit','2004-05-22 16:27:12.572','2004-05-22FILES>>16:27:12.572');

INSERT INTO SECURITY_PERMISSION

VALUES(2,'org.apache.jetspeed.security.FolderPermission','<<ALLFILES>>','view','2004-05-22 16:27:12.572','2004-05-22 16:27:12.572');

INSERT INTO SECURITY_PERMISSION
VALUES(3,'org.apache.jetspeed.security.FolderPermission','/','view','200
4-05-22
16:27:12.572','2004-05-22 16:27:12.572'); INSERT INTO
SECURITY_PERMISSION
VALUES(4,'org.apache.jetspeed.security.FolderPermission','/*','view','20
04-05-22
16:27:12.572','2004-05-22 16:27:12.572'); INSERT INTO
SECURITY_PERMISSION
VALUES(5,'org.apache.jetspeed.security.FolderPermission','/non-java/-','
view','2004-05-22
16:27:12.572','2004-05-22 16:27:12.572'); INSERT INTO
SECURITY_PERMISSION
VALUES(6,'org.apache.jetspeed.security.FolderPermission','/third-party/-
','view','2004-05-22
16:27:12.572','2004-05-22 16:27:12.572'); INSERT INTO
SECURITY_PERMISSION
VALUES(7,'org.apache.jetspeed.security.FolderPermission','/Public','view
,
edit','2004-05-22 16:27:12.572','2004-05-22 16:27:12.572'); INSERT INTO
SECURITY_PERMISSION
VALUES(8,'org.apache.jetspeed.security.FolderPermission','/Public/-','vi
ew,
edit','2004-05-22 16:27:12.572','2004-05-22 16:27:12.572'); INSERT INTO
SECURITY_PERMISSION
VALUES(9,'org.apache.jetspeed.security.FolderPermission','/anotherdir/-'
,'view','2004-05-22
16:27:12.572','2004-05-22 16:27:12.572'); INSERT INTO
SECURITY_PERMISSION
VALUES(10,'org.apache.jetspeed.security.FolderPermission','/top-links/-'
,'view','2004-05-22
16:27:12.572','2004-05-22 16:27:12.572'); INSERT INTO
SECURITY_PERMISSION
VALUES(11,'org.apache.jetspeed.security.PagePermission','/default-page.p
sml','view','2004-05-22
16:27:12.572','2004-05-22 16:27:12.572'); INSERT INTO
SECURITY_PERMISSION
VALUES(12,'org.apache.jetspeed.security.PagePermission','/rss.psml','vie
w','2004-05-22
16:27:12.572','2004-05-22 16:27:12.572'); INSERT INTO
SECURITY_PERMISSION
VALUES(13,'org.apache.jetspeed.security.FolderPermission','/_user/user',
'view,
edit','2004-05-22 16:27:12.572','2004-05-22 16:27:12.572'); INSERT INTO
SECURITY_PERMISSION
VALUES(14,'org.apache.jetspeed.security.FolderPermission','/_user/user/-
','view,
edit','2004-05-22 16:27:12.572','2004-05-22 16:27:12.572'); INSERT INTO
PRINCIPAL_PERMISSION VALUES(3,13); INSERT INTO PRINCIPAL_PERMISSION
VALUES(3,14); INSERT INTO PRINCIPAL_PERMISSION VALUES(6,1); INSERT INTO
PRINCIPAL_PERMISSION VALUES(7,2); INSERT INTO PRINCIPAL_PERMISSION
VALUES(8,3); INSERT INTO PRINCIPAL_PERMISSION VALUES(8,4); INSERT INTO
PRINCIPAL_PERMISSION VALUES(8,5); INSERT INTO PRINCIPAL_PERMISSION
VALUES(8,6); INSERT INTO PRINCIPAL_PERMISSION VALUES(8,8); INSERT INTO
PRINCIPAL_PERMISSION VALUES(8,9); INSERT INTO PRINCIPAL_PERMISSION
VALUES(8,10); INSERT INTO PRINCIPAL_PERMISSION VALUES(10,3); INSERT INTO
PRINCIPAL_PERMISSION VALUES(10,7); INSERT INTO PRINCIPAL_PERMISSION
VALUES(10,8); INSERT INTO PRINCIPAL_PERMISSION VALUES(10,11); INSERT
INTO PRINCIPAL_PERMISSION VALUES(10,12);

This attempts to set similar permissions to the constraints in the PSML
for the demo site. Note that the two models differ slightly and the
constraint model has a few features that cannot be supported here.

HTH,

Randy

Prashanth Gujjeti wrote:

Hi all,
We are trying to hook-up our own custom security valve into the
Jetspeed2 pipeline to bypass the J2's authentication mechanism assuggested in the forums. We created the Security Valve and we are ableto bypass the authentication successfully. Thanks a bunch to Randy andothers who answered our previous queries.
However, I have a couple of questions regarding the authorizationpolicies. How do we define Security permissions, say for a role? Oneway to accomplish this is through the PSML pages/folder metadata/global

security preferences. But, how do we define a policy that defines thesecurity preferences based on a Principal (role/group/user). Here iswhat I could figure out from J2's schema:
- SECURITY_PRINCIPAL defines roles, groups, and users.
- SECURITY_PERMISSION defines security permissions (on folders, andpages. I didn't find any for portlets)
- PRINCIPAL_PERMISSION relates the principals and permissionseffectively providing different permissions based on role/user/group
How could we add permission entries to these tables (effectivelydefining policies per user/group/role)? And how would these permissions

aggregate. i.e. If a given user's principals (user/role/geoup) haveconflicting permissions, which one would take precedence?
Essentially, we are trying to create a security policy based on theprincipals, rather than having to manage the distributed securityconstraints under the various PSML/folder.metadata files. The securitydesign-doc -{JETSPEED-SRC}/design-docs/src/security/SecurityDesignNotes.txt -mentions something about granting principals:
###########
grant principal o.a.j.security.RolePrincipal "theRolePrincipal" {
permission o.a.j.security.PagePermission "mypage", "view";
permission o.a.j.security.PortletPermission "myportlet","view,edit,minimize,maximize";
permission o.a.j.security.TabPermission "mytab", "view";
};###########
Where do we define these security policies/prinicipals? I am notwell-versed with JAAS - so please excuse my ignorance, if thesequestions are too fundamental. I could provide more details, ifrequired.
Your comments/answers are much appreciated.

Thanks
- Prashanth

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [J2] Security - Specifying the policies

Reply via email to