[jboss-user] [JBoss Portal] - Re: isUserInRole(String role) doesn't work

Tue Apr 17 05:23:43 EDT 2007

Hello,

an old topic, but I still have the same need.

the spec is nice. 
--------------------------------------------------------------------------
it allows that the portlet knows what features it provide, and what it's portlet-roles are needed for thoses.
then the portlet declaration allows to map the application roles (user roles) to theses features specific roles.

example :
Portlet has two features : 
delete some record, with role authorization PRoleA
create a business process, with role authorization PRoleB
all other features are allowed to PRoleC

then, mapping of role allow to set, for use of this portlet in any application (portal), to map the users roles to theses three "portlet features roles".
As : URole_Admin to PRoleA, PRoleB, PRoleC
URole_BP_Manager to PRoleB, PRoleC
URole_Editor to PRoleA, PRoleC
and so on...

Advantages :
Decouple of roles, between "portlet features roles" and application user roles, 
Allow to provide a portlet to "others" without knowing the user roles in the application/portal.
nice.
--------------------------------------------------------------------------

but, it is quite heavy to manage. It forces to declare explicitly all roles that must be available inside the portlet.

Use Case 
--------------------------------------------------------------------------
20 to 30 roles
15 to 30 portlets
to manage either :
 - internal users features (admin, manager, editor, data validator, hotliner for user), 
 - and external user features (visitor, loggued user of customer type A, loggued manager of customer type A, ... for customer type B and C).

and in the situation where portlets are dedicated to this application : ie, there is identity between portlet features roles and application user roles.
Example : they are developped specifically for this application.
--------------------------------------------------------------------------
Then, the decoupling is a heavy overhead.
The descriptors become a huge XML file of repeating the associations of roles, always the same. (30 portlets x 30 role-ref items !).
Maintenance and evolution is heavy, and bug generating.

Proposition :
--------------------------------------------------------------------------
To allow to define identity of role, for a bunch of them.
Using a regular expression, or at least wildcards.
<security-role-ref>
  |   <role-name>*</role-name>
  |   <role-link>*</role-link>  
  | </security-role-ref>
  | 
--------------------------------------------------------------------------

This would lightened the constraint to declare all explicitly, with preserving the nice decoupling capability (for commercial portlets, etc...).

Questions 1 :
How to send this request to the spec definition group ?

Questions 2 :
How to workaround this for the time being ?

What class is responsible for reading the descriptor and set the role visible in the portlets ?

To overload it, knowing it is not JSR-168 compliant...

Thanks,

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4037894#4037894

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4037894