On Apr 20, 2007, at 2:39 PM, Prabhakar, Sushil wrote:
Hi,
Could someone shed some light on how to use permissions and
constraints
together to provide access control to resources( folders/pages.).
Currently we can apply control via the permissions tab or the portal
site manager (using constraints). Does one setting take precedence
over
the other, if so what is the order. Are there any best practices for
using either of them. It's not clear whether one way is preferred over
the other or if they are to be used together or exclusively.
Thanks in advance for your responses and patience with my lack of
understanding.
Sushil
Jetspeed-2 has two kinds of security mechanisms: JAAS-based security
policies, and declarative security constraints
Jetspeed-2 declarative security constraints are applied to portal
resources such as pages, portlets, fragments, folders and links.
You can switch between the two mechanisms by editing the spring
configuration in administration.xml:
<bean id="org.apache.jetspeed.security.SecurityAccessController"
class='org.apache.jetspeed.security.impl.SecurityAccessControllerImpl'>
<constructor-arg index='0'>
<ref bean="org.apache.jetspeed.page.PageManager"/>
</constructor-arg>
<!--
Security Mode:
1 = Permissions = use Jetspeed Java Security Policy
2 = Constraints = use Jetspeed (PageManager) Constraint-
based Security
-->
<constructor-arg index="1">
<value>2</value>
</constructor-arg>
</bean>
Here are the docs are constraints:
http://portals.apache.org/jetspeed-2/guides/guide-security-
declarative-psml.html
and the security policy docs are here:
http://portals.apache.org/jetspeed-2/multiproject/jetspeed-security/
atz-jaas.html
Additionally, with constraints you can define security constraints on
a portlet in the jetspeed-portlet.xml:
<portlet>
<portlet-name>LocaleSelector</portlet-name>
<js:security-constraint-ref>public-view</js:security-
constraint-ref>
</portlet>
