Security for Portlet State (customize, maximize, minimize, close) not working

Define the role "user" permissions in the admin interface - leave only "view" checked. Portlets for a user (the user has role "user" only) still have minimize, maximize, close, configure icons. When VelocityPortletContril.buildActionList() checks permissions: StateFullPortletWrapper.allowCustom

RE: Security for Portlet State (customize, maximize, minimize, close) not working

> -Original Message- > From: Glenn Golden [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, May 22, 2002 7:23 AM > To: Jetspeed-Dev ([EMAIL PROTECTED]) > Subject: Security for Portlet State (customize, maximize, > minimize, close) not working > > > Define the role "user" permissions in t

RE: Security for Portlet State (customize, maximize, minimize, close) not working

Further thoughts... We seem to have two conflicting security definition mechanisms: * * * 1) From the admin interface, one can define roles and assign them to users. The roles contain a set of permissions for the user. * * * 2) From the jr.p config file, one can define default permissions: s

Proposal

We have this clever feature that if there are some number of unsuccessful login attempts over a time period, we disable the account. This is a VERY BAD FEATURE! With a feature like this, if I know your login id, I can quickly disable your account. I suggest we remove it. Call for a vote. - Gl

RE: Proposal

-1 Its optional. If you don't like it, turn it off. > -Original Message- > From: Glenn Golden [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, May 22, 2002 9:50 AM > To: Jetspeed-Dev ([EMAIL PROTECTED]) > Subject: Proposal > > > We have this clever feature that if there are some number o

Re: Security for Portlet State (customize, maximize, minimize, close) not working

Glenn Golden wrote: > Define the role "user" permissions in the admin interface - leave only > "view" checked. > > Portlets for a user (the user has role "user" only) still have minimize, > maximize, close, configure icons. > > When VelocityPortletContril.buildActionList() checks permissions:

RE: Proposal

-1 This feature is important for sites controlling access to sensitive data. Without a feature like this, if I know your login id, I can conduct a brute force attack with endless password combinations until I gain access to the account. I would rather have my account temporarily disabled than, fo

RE: Security for Portlet State (customize, maximize, minimize, close) not working

So, why is the code ignoring the ACL and using default - look at the code (JetspeedDBSecurity.checkPermission() (line 234)) and see! The acl is in the rundata and has good stuff. The default permissions are setup from the jr.p. Everything is fine, except for the code which is ignoring the ACL.

Re: Proposal

| We have this clever feature that if there are some number of unsuccessful | login attempts over a time period, we disable the account. | | This is a VERY BAD FEATURE! With a feature like this, if I know your login | id, I can quickly disable your account. | | I suggest we remove it. Call for a

Re: Proposal

If I know you login, then I, via a script or program, could keep trying passwords until I successfully logged in. This can be BAD! That is why most OS will lock account based on failed login attempts. The JR.p parameters that control when an account is locked out, based on failed attempts, a

cvs commit: jakarta-jetspeed/xdocs usejetspeed.xml

kimptoc 02/05/22 11:50:29 Modified:xdocsusejetspeed.xml Log: add some powered by jetspeed sites Revision ChangesPath 1.9 +18 -5 jakarta-jetspeed/xdocs/usejetspeed.xml Index: usejetspeed.xml

RE: Proposal

I agree password attacks are a problem, but our solution is a bad one. Our solution makes it much too easy to do damage. Perhaps there's another solution. I say we get rid of this one. +1 - Glenn Glenn R. Golden, Systems Research Programmer Unive

RE: Proposal

Hi, --- Glenn Golden <[EMAIL PROTECTED]> wrote: > I agree password attacks are a problem, but our solution is a bad > one. Our > solution makes it much too easy to do damage. Perhaps there's > another > solution. > > I say we get rid of this one. > > +1 > Whoa - if your suggesting remove it

cvs commit: jakarta-jetspeed/webapp/WEB-INF/templates/vm/layouts/html content.vm default.vm

kimptoc 02/05/22 12:39:44 Modified:webapp/WEB-INF/templates/jsp/layouts/html default.jsp webapp/WEB-INF/templates/jsp/layouts/html/de default.jsp webapp/WEB-INF/templates/jsp/layouts/html/en default.jsp webapp/WEB-INF/templates/vm/layouts/htm

JSR 168 - Porlet API

Hi! You mentioned that you'd try to make a weekly "progress report" about the Portlet API standardization. I'm simply _dying_ to know how this process is coming along..! Endre. -- To unsubscribe, e-mail: For additional commands, e-mail:

Re: Proposal

I vote to keep it. In the financial arena, there are many concerns with who has access (patriot act) having a lockout mechanism eases some concerns. DDos is always going to be a problem. Jeff Glenn Golden wrote: >We have this clever feature that if there are some number of unsuccessful >log

RE: Proposal

I believe you can disable this feature if you don't like it, and many have expressed the need to have account lockout on multiple login failures. I do agree with you about DOS attacks. Could your solution to that problem concentrate on addressing the DOS concern without removing the valid pa

Template choice based on browser type

I've encountered a problem with the current Jetspeed and Netscape 4.7x regarding deeply nested tables and CCS causing netscape to freeze and/or crash. After browsing through the jetspeed-users group I can see this is a known problem. Unfortunately for me Netscape 4.76 is the official corpor

Re: Template choice based on browser type

Ah, just found JetspeedTemplateLocatorService. duh. Guess the easiest path would be an implementation of TemplateLocatorService that includes yet another directory based on browser type. Is this the right approach? Are the template directory structure and templates loaded at runtime and ca

RE: Template choice based on browser type

Look at org.apache.jetspeed.services.templateJetspeedTemplateLocatorService, shouldn't be too hard to get the fallback working there ( I think, been a while since I looked ) > vm/layouts/html/en/default_netscape.vm Why not make a proposal to change the search path to include the browser i.e: /

RE: Template choice based on browser type

> -Original Message- > From: Todd Kuebler [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, May 22, 2002 2:55 PM > To: Jetspeed Developers List; Jetspeed Developers List > Subject: Re: Template choice based on browser type > > > > Ah, just found JetspeedTemplateLocatorService. duh. Gue

Proposal: Template Locator search path includes browser type

I propose we change the search path of the jetspeed template locator service to include browser directories. The changes will be made to the current JetspeedTemplateLocatorService. The search path algorithm would be the same as now, with the addition of the browser directory if there is at l

cvs commit: jakarta-jetspeed/webapp/WEB-INF/templates/vm/controllers/html row-customize.vm flow-customize.vm column-customize.vm card-customize.vm

ggolden 02/05/22 20:23:42 Modified:webapp/WEB-INF/templates/vm/controllers/html row-customize.vm flow-customize.vm column-customize.vm card-customize.vm Log: changed some $link and older $jslink to the latest $jslink.getAction(action

cvs commit: jakarta-jetspeed/proposals Security.txt

taylor 02/05/22 23:40:13 Added: proposals Security.txt Log: YASP! Yet another security proposal. Reviewed by Busby. http://www.bluesunrise.com/busby.inc/Certified-Busby.JPG Revision ChangesPath 1.1 jakarta-jetspeed/proposals/Security.txt Ind

RE: Proposal: Template Locator search path includes browser type

Todd, It sounds good. Just wondering how you know if you are at a 'browser' level directory, or language level? Could you check for the 'browser' specific directories first? Anyway, its an implementation detail. +1 on the enhancement David > -Original Message- > From: Todd Kuebler [m

Re: Jetspeed question

Hi Glenn, [I've cc'd the DEV list] I forgot that I made that change... I think I was probably just being consistent with the other stuff that seemed to use the INFO link to customize a portlet. I would agree that it looks like a bug - especially as your looking to fix the place I was being con

YASP! yet another security proposal

Well there's already been two proposals today. Sorry, but Im jumping on the bandwagon with a third. You can find it in the cvs under /proposals/security.txt also included here Look forward to your comments David -