5:08 p.m.
[ http://jira.jboss.com/jira/browse/JBPORTAL-1740?page=all ]
Sohil Shah resolved JBPORTAL-1740.
----------------------------------
Resolution: Done
The following two aspects of CMS security and now made configurable:
1/ Ability to configure the CMS super user instead of the built-in admin user. This can be
achieved by the configuration inside the portal-cms.sar/META-INF/jboss-service.xml.
<mbean
code="org.jboss.portal.cms.security.AuthorizationProviderImpl"
name="portal:service=AuthorizationProvider,type=cms"
xmbean-dd=""
xmbean-code="org.jboss.portal.jems.as.system.JBossServiceModelMBean">
<xmbean/>
<!--
NOTE: cmsRootUserName denotes a single Portal user that has access to everything in
the CMS. Denote this user
carefully and should be synonymous to the 'root' user in a Unix system. By
default: this value is the built-in
'admin' user account. This can be changed to any other user account
registered in your Portal
-->
<attribute name="CmsRootUserName">admin</attribute>
<depends optional-attribute-name="IdentityServiceController"
proxy-type="attribute">portal:service=Module,type=IdentityServiceController</depends>
</mbean>
2/ The Portal Role that has access to the CMS Security Console for setting up the
permissions on the CMS nodes can now be specified in the following file:
jboss-portal.sar/conf/identity/standardidentity-config.xml
<!--Common options section-->
<option-group>
<group-name>common</group-name>
<option>
<name>userCtxDN</name>
<value>ou=People,dc=example,dc=com</value>
</option>
<option>
<name>uidAttributeID</name>
<value>uid</value>
</option>
<option>
<name>passwordAttributeID</name>
<value>userPassword</value>
</option>
<option>
<name>roleCtxDN</name>
<value>ou=Roles,dc=example,dc=com</value>
</option>
<option>
<name>ridAttributeId</name>
<value>cn</value>
</option>
<option>
<name>roleDisplayNameAttributeID</name>
<value>cn</value>
</option>
<option>
<name>membershipAttributeID</name>
<value>member</value>
</option>
<option>
<name>membershipAttributeIsDN</name>
<value>true</value>
</option>
<!-- NOTE: defaultAdminRole is a required option -->
<option>
<name>defaultAdminRole</name>
<value>Admin</value>
</option>
</option-group>
cms admin portlet checks for hardcoded role named 'admin'
---------------------------------------------------------
Key: JBPORTAL-1740
URL: http://jira.jboss.com/jira/browse/JBPORTAL-1740
Project: JBoss Portal
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Portal CMS
Affects Versions: 2.6.2 Final
Reporter: Tobias Roth
Assigned To: Sohil Shah
See also http://jira.jboss.com/jira/browse/JBPORTAL-1646
I found another hardcoded use of 'admin'. The effect of having this is that even
with the change I described above, permissions of cms nodes cannot be changed by users
that are not in role called 'admin'.
Why does the security console need to have separate access rights? Aren't the access
rights for the CMS admin console enough?
In core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java:
private boolean isSecurityConsoleAccessible(PortletRequest portletRequest)
{
try
{
boolean isAccessible = false;
if (portletRequest.getUserPrincipal() != null)
{
User user =
this.userModule.findUserByUserName(portletRequest.getUserPrincipal().getName());
Set roles = this.membershipModule.getRoles(user);
if (roles != null)
{
for (Iterator itr = roles.iterator(); itr.hasNext();)
{
Role role = (Role)itr.next();
if (role.getName().equalsIgnoreCase("admin"))
{
isAccessible = true;
break;
}
}
}
}
return isAccessible;
}
catch (Exception e)
{
return false;
}
}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira