That's great, thanks! I had read the guide to declarative security, and in its otherwise very clear and detailed explanations it doesn't note that render time checking is disabled by default for portlets. Neither does the portlet registry guide, unless it escaped me.
I think most people would assume that Jetspeed enforces *all* your security declarations by default. Maybe someone could paste the relevant part of the email into the documentation? In the declarative security guide there are nice paragraphs about securing pages and fragments, and a note that enforcement is on by default - a similar paragraph for portlets would save people puzzlement. Apologies if there is one and I've just missed it. ----- PŮVODNÍ ZPRÁVA ----- Od: "David Sean Taylor" <[email protected]> Komu: "Jetspeed Users List" <[email protected]> Předmět: Re: Security constraints working, at portlet/portlet app Datum: 8.2.2010 - 21:57:10 > On Sun, Feb 7, 2010 at 4:51 PM, <[email protected]> > wrote: > > > Is security constraint enforcement implemented for > > portlets? > > > > > Yes. This question was answered on Jan 21, 2010, > > I will re-paste it in: > > > Finally, as a last resort/catch-all handling, you can > also enforce security > constraints checking at render time. > > If enabled (default: false), a portlet which is not > accessible to be viewed > by the user, regardless the current page or fragment, > will not be rendered > and an "Access Denied" error message will be rendered > instead. > To enable this feature, you'll have to change a Spring > configuration setting > in WEB-INF/assembly/aggregation.xml. > Find bean with id="org.apache.jetspeed.aggregator.PortletRenderer" > and > change the 4th constructor-arg element from false -> > true > (see also inline comment in the bean definition) > > <!-- Portlet Renderer --> > <bean id="org.apache.jetspeed.aggregator.PortletRenderer" > class="org.apache.jetspeed.aggregator.impl.PortletRendererImpl" > init-method="start" destroy-method="stop"> > <meta key="j2:cat" value="default" /> > <constructor-arg> > <ref bean="org.apache.pluto.PortletContainer" /> > </constructor-arg> > <constructor-arg> > <ref bean="org.apache.jetspeed.aggregator.WorkerMonitor" > /> > </constructor-arg> > <constructor-arg> > <ref bean="PortalStatistics" /> > </constructor-arg> > <constructor-arg> > <ref bean="org.apache.jetspeed.aggregator.PortletTrackingManager" > /> > </constructor-arg> > <!-- flag indicating whether to check jetspeed-portlet.xml > security > constraints > before rendering a portlet. If security check fails, > do not display > portlet content > --> > <constructor-arg type="boolean"> > <value>true</value> > </constructor-arg> > <constructor-arg> > <ref bean="org.apache.jetspeed.security.SecurityAccessController" > /> > </constructor-arg> > <constructor-arg> > <ref bean="portletContentCache" /> > </constructor-arg> > </bean> > > > NOTE: The Portlet Selector filters out portlets based > on security constraint > checks as well --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
