[jboss-user] [JBoss Portal] - Declarative Security and Portlets

[karink]

Hi,

I just would like to discuss an issue about the portlet specification and security.
Reading the portlet spec again and again there is one issue that I do not really understand:

The chapter "PLT.20.2 Roles" states:
anonymous wrote : The Portlet Specification shares the same definition as roles of the Servlet Specification
  | 2.3, SRV.12.4 Section.

Reading the servlet spec it states:
anonymous wrote : A servlet container enforces declarative or programmatic security for the principal associated with an incoming request based on the security attributes of the principal.


So what is meant by this:
Should the portlet container secure access to a portlet by means of declarative security. 
How can this be done? Is this a configuration in the web.xml file.
The portlet spec also stated "PLT.3 Relationship with the Servlet Specification"
anonymous wrote : Portlets are not directly bound to a URL

So how can there be a security-constraint in the web.xml without defined url.
Reading JBoss doc I got the impression that securing a portlet is
a portlet container related task (and is be done in the admin portlet,
or in jboss portal proprietary deployment descriptor).

Than I come to a next point. When accessing a portlet from remote via
WSRP how can than the portlet be secured. Currently I do not see a declarative mean.

If no declarative security can be used, is it really meant, that a portlet developer should always use programmatic security (isUserInRole)

Regards Karin



View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4020559#4020559

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4020559