4:41 a.m.
cms admin portlet checks for hardcoded role named 'admin'
---------------------------------------------------------
Key: JBPORTAL-1740
URL: http://jira.jboss.com/jira/browse/JBPORTAL-1740
Project: JBoss Portal
Issue Type: Bug
Security Level: Public (Everyone can see)
Components: Portal CMS
Affects Versions: 2.6.2 Final
Reporter: Tobias Roth
Assigned To: Sohil Shah
See also http://jira.jboss.com/jira/browse/JBPORTAL-1646
I found another hardcoded use of 'admin'. The effect of having this is that even
with the change I described above, permissions of cms nodes cannot be changed by users
that are not in role called 'admin'.
Why does the security console need to have separate access rights? Aren't the access
rights for the CMS admin console enough?
In core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java:
private boolean isSecurityConsoleAccessible(PortletRequest portletRequest)
{
try
{
boolean isAccessible = false;
if (portletRequest.getUserPrincipal() != null)
{
User user =
this.userModule.findUserByUserName(portletRequest.getUserPrincipal().getName());
Set roles = this.membershipModule.getRoles(user);
if (roles != null)
{
for (Iterator itr = roles.iterator(); itr.hasNext();)
{
Role role = (Role)itr.next();
if (role.getName().equalsIgnoreCase("admin"))
{
isAccessible = true;
break;
}
}
}
}
return isAccessible;
}
catch (Exception e)
{
return false;
}
}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
4:47 a.m.
New subject: [JBoss JIRA] Commented: (JBPORTAL-1740) cms admin portlet checks for hardcoded role named 'admin'
[ http://jira.jboss.com/jira/browse/JBPORTAL-1740?page=comments#action_1238... ]
Tobias Roth commented on JBPORTAL-1740:
---------------------------------------
Sorry, this is a duplicate for JBPORTAL-1733. I have more info in here though.
cms admin portlet checks for hardcoded role named 'admin'
---------------------------------------------------------
Key: JBPORTAL-1740
URL: http://jira.jboss.com/jira/browse/JBPORTAL-1740
Project: JBoss Portal
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Portal CMS
Affects Versions: 2.6.2 Final
Reporter: Tobias Roth
Assigned To: Sohil Shah
See also http://jira.jboss.com/jira/browse/JBPORTAL-1646
I found another hardcoded use of 'admin'. The effect of having this is that even
with the change I described above, permissions of cms nodes cannot be changed by users
that are not in role called 'admin'.
Why does the security console need to have separate access rights? Aren't the access
rights for the CMS admin console enough?
In core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java:
private boolean isSecurityConsoleAccessible(PortletRequest portletRequest)
{
try
{
boolean isAccessible = false;
if (portletRequest.getUserPrincipal() != null)
{
User user =
this.userModule.findUserByUserName(portletRequest.getUserPrincipal().getName());
Set roles = this.membershipModule.getRoles(user);
if (roles != null)
{
for (Iterator itr = roles.iterator(); itr.hasNext();)
{
Role role = (Role)itr.next();
if (role.getName().equalsIgnoreCase("admin"))
{
isAccessible = true;
break;
}
}
}
}
return isAccessible;
}
catch (Exception e)
{
return false;
}
}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
5:05 p.m.
New subject: [JBoss JIRA] Commented: (JBPORTAL-1740) cms admin portlet checks for hardcoded role named 'admin'
[ http://jira.jboss.com/jira/browse/JBPORTAL-1740?page=comments#action_1238... ]
Sohil Shah commented on JBPORTAL-1740:
--------------------------------------
Why does the security console need to have separate access rights?
Aren't the access rights for the CMS admin console enough?
No. not true for all cms usages. Access to the security console (one that lets you setup
permissions) must be different from the permission to access the cms admin console to
modify cms content.
Typical usecase being:
1/ A portal that is setup with very fine permissions to modify cms content including
allowing Anonymous users to access publicly accessible cms documents. Think wiki like
document sharing capabilities. However, the security console of
the cms tool should not be accessible to Anonymous users.
I agree that there needs to be flexibility for the end users to specify which Role of
users should be allowed to access the security console instead of the built-in Portal
Admin role. This issue will be fixed in this bug fix in 2.6.3.
For now, you will be able to specify a single Role that can access the security console.
Maybe in a latter release we can provide ability to specify multiple Roles that can get
access to the Security Console
Thanks for the feedback and the bug report
Sohil
cms admin portlet checks for hardcoded role named 'admin'
---------------------------------------------------------
Key: JBPORTAL-1740
URL: http://jira.jboss.com/jira/browse/JBPORTAL-1740
Project: JBoss Portal
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Portal CMS
Affects Versions: 2.6.2 Final
Reporter: Tobias Roth
Assigned To: Sohil Shah
See also http://jira.jboss.com/jira/browse/JBPORTAL-1646
I found another hardcoded use of 'admin'. The effect of having this is that even
with the change I described above, permissions of cms nodes cannot be changed by users
that are not in role called 'admin'.
Why does the security console need to have separate access rights? Aren't the access
rights for the CMS admin console enough?
In core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java:
private boolean isSecurityConsoleAccessible(PortletRequest portletRequest)
{
try
{
boolean isAccessible = false;
if (portletRequest.getUserPrincipal() != null)
{
User user =
this.userModule.findUserByUserName(portletRequest.getUserPrincipal().getName());
Set roles = this.membershipModule.getRoles(user);
if (roles != null)
{
for (Iterator itr = roles.iterator(); itr.hasNext();)
{
Role role = (Role)itr.next();
if (role.getName().equalsIgnoreCase("admin"))
{
isAccessible = true;
break;
}
}
}
}
return isAccessible;
}
catch (Exception e)
{
return false;
}
}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
5:08 p.m.
New subject: [JBoss JIRA] Resolved: (JBPORTAL-1740) cms admin portlet checks for hardcoded role named 'admin'
[ http://jira.jboss.com/jira/browse/JBPORTAL-1740?page=all ]
Sohil Shah resolved JBPORTAL-1740.
----------------------------------
Resolution: Done
The following two aspects of CMS security and now made configurable:
1/ Ability to configure the CMS super user instead of the built-in admin user. This can be
achieved by the configuration inside the portal-cms.sar/META-INF/jboss-service.xml.
<mbean
code="org.jboss.portal.cms.security.AuthorizationProviderImpl"
name="portal:service=AuthorizationProvider,type=cms"
xmbean-dd=""
xmbean-code="org.jboss.portal.jems.as.system.JBossServiceModelMBean">
<xmbean/>
<!--
NOTE: cmsRootUserName denotes a single Portal user that has access to everything in
the CMS. Denote this user
carefully and should be synonymous to the 'root' user in a Unix system. By
default: this value is the built-in
'admin' user account. This can be changed to any other user account
registered in your Portal
-->
<attribute name="CmsRootUserName">admin</attribute>
<depends optional-attribute-name="IdentityServiceController"
proxy-type="attribute">portal:service=Module,type=IdentityServiceController</depends>
</mbean>
2/ The Portal Role that has access to the CMS Security Console for setting up the
permissions on the CMS nodes can now be specified in the following file:
jboss-portal.sar/conf/identity/standardidentity-config.xml
<!--Common options section-->
<option-group>
<group-name>common</group-name>
<option>
<name>userCtxDN</name>
<value>ou=People,dc=example,dc=com</value>
</option>
<option>
<name>uidAttributeID</name>
<value>uid</value>
</option>
<option>
<name>passwordAttributeID</name>
<value>userPassword</value>
</option>
<option>
<name>roleCtxDN</name>
<value>ou=Roles,dc=example,dc=com</value>
</option>
<option>
<name>ridAttributeId</name>
<value>cn</value>
</option>
<option>
<name>roleDisplayNameAttributeID</name>
<value>cn</value>
</option>
<option>
<name>membershipAttributeID</name>
<value>member</value>
</option>
<option>
<name>membershipAttributeIsDN</name>
<value>true</value>
</option>
<!-- NOTE: defaultAdminRole is a required option -->
<option>
<name>defaultAdminRole</name>
<value>Admin</value>
</option>
</option-group>
cms admin portlet checks for hardcoded role named 'admin'
---------------------------------------------------------
Key: JBPORTAL-1740
URL: http://jira.jboss.com/jira/browse/JBPORTAL-1740
Project: JBoss Portal
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Portal CMS
Affects Versions: 2.6.2 Final
Reporter: Tobias Roth
Assigned To: Sohil Shah
See also http://jira.jboss.com/jira/browse/JBPORTAL-1646
I found another hardcoded use of 'admin'. The effect of having this is that even
with the change I described above, permissions of cms nodes cannot be changed by users
that are not in role called 'admin'.
Why does the security console need to have separate access rights? Aren't the access
rights for the CMS admin console enough?
In core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java:
private boolean isSecurityConsoleAccessible(PortletRequest portletRequest)
{
try
{
boolean isAccessible = false;
if (portletRequest.getUserPrincipal() != null)
{
User user =
this.userModule.findUserByUserName(portletRequest.getUserPrincipal().getName());
Set roles = this.membershipModule.getRoles(user);
if (roles != null)
{
for (Iterator itr = roles.iterator(); itr.hasNext();)
{
Role role = (Role)itr.next();
if (role.getName().equalsIgnoreCase("admin"))
{
isAccessible = true;
break;
}
}
}
}
return isAccessible;
}
catch (Exception e)
{
return false;
}
}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
5:08 p.m.
New subject: [JBoss JIRA] Updated: (JBPORTAL-1740) cms admin portlet checks for hardcoded role named 'admin'
[ http://jira.jboss.com/jira/browse/JBPORTAL-1740?page=all ]
Sohil Shah updated JBPORTAL-1740:
---------------------------------
Fix Version/s: 2.6.3 Final
cms admin portlet checks for hardcoded role named 'admin'
---------------------------------------------------------
Key: JBPORTAL-1740
URL: http://jira.jboss.com/jira/browse/JBPORTAL-1740
Project: JBoss Portal
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Portal CMS
Affects Versions: 2.6.2 Final
Reporter: Tobias Roth
Assigned To: Sohil Shah
Fix For: 2.6.3 Final
See also http://jira.jboss.com/jira/browse/JBPORTAL-1646
I found another hardcoded use of 'admin'. The effect of having this is that even
with the change I described above, permissions of cms nodes cannot be changed by users
that are not in role called 'admin'.
Why does the security console need to have separate access rights? Aren't the access
rights for the CMS admin console enough?
In core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java:
private boolean isSecurityConsoleAccessible(PortletRequest portletRequest)
{
try
{
boolean isAccessible = false;
if (portletRequest.getUserPrincipal() != null)
{
User user =
this.userModule.findUserByUserName(portletRequest.getUserPrincipal().getName());
Set roles = this.membershipModule.getRoles(user);
if (roles != null)
{
for (Iterator itr = roles.iterator(); itr.hasNext();)
{
Role role = (Role)itr.next();
if (role.getName().equalsIgnoreCase("admin"))
{
isAccessible = true;
break;
}
}
}
}
return isAccessible;
}
catch (Exception e)
{
return false;
}
}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
6254
days inactive
6302
days old
4 comments
2 participants
participants (2)
-
Sohil Shah (JIRA) -
Tobias Roth (JIRA)