Gang, FYI, here is a quick summary of what David reviewed and committed for me yesterday. As usual, feel free to ask any questions that come to mind!
Randy ---------------------------------------------------------------------- To test: 1. When you start the portal, you should see only the default page and additional links, (no customizer buttons) 2. Login as user: you should see everything as before except the testsuite page and the Administrative sub directory, (customizer buttons only visible on user pages) 3. Login as manager: everything should be be visible except the testsuite page, (no customizer buttons) 4. Login as jetspeed: everything should be visible, (no customizer buttons) 5. Login as admin: everything should be visible, (full customizer buttons) Notes: - Both permissions, (JAAS), and constraints, (J1 style), are enabled, (in assembly/page-manaager.xml on the CastorXmlPageManager init) - Both are configured to secure the same entities, except the testsuite page access is specified only in the constraints. - The permissions are configured in the 4 populate-userinfo sql scripts. - The constraints are set up in WEB-INF/pages: /page.security /folder.metadata /Administrative/folder.metadata /default-page.psml /testsuite.psml /_user/user/folder.metadata In addition to the core Security functionality, the following "bonus" changes are in this patch: - Corrected various page document tags to use lower-dash case instead of lowerCamel case. - Removed security checks from PageAggregator. - Deprecated ACL members from page documents and usage in SiteDetailPortlet.java - Removed logging from FolderPermission in commons. - Added 403 returns in ProfilerValveImpl for SecurityExceptions - Added short-title support to pages, (see nested-layout.psml), and decorators/templates. - Cleaned up SecurityValveImpl to ensure RequestContext Subject is propagated using Subject.doAsPrivileged(). - Added groups to user and jetspeed logins to use for testing purposes. - Added code in JPT that uses page.checkAccess() to limit customizer page actions. - Added rollovers for full title display in tigris and jetspeed page layout decorators/templates. Things that remain to be done: - Implement view/edit action checks in PageManager for get/new/update/remove APIs.