portlet-instances.xml security-constraints are not verified using request.isUserInRole() ---------------------------------------------------------------------------------------- Key: JBPORTAL-1751 URL: http://jira.jboss.com/jira/browse/JBPORTAL-1751 Project: JBoss Portal Issue Type: Bug Security Level: Public (Everyone can see) Components: Portal Security Affects Versions: 2.6.2 Final, 2.6.1 Final Environment: Java JDK 1.4.2 Reporter: Johannes Fiala Assigned To: Julien Viet The implementation which verifies the security of portlet-instances.xml against the user roles currently doesn't seem to use request.isUserInRole(). Fact 1: If you use a role-link in the portlet.xml (to have a role which is not originally created by the Jboss Portal Loginmodule (IdentityLoginModule)) <portlet> ... <security-role-ref> <role-name>PortletUser</role-name> <role-link>User</role-link> </security-role-ref> </portlet> and then use it in the portlet-instances.xml: <instance> ... <security-constraint> <policy-permission> <role-name>PortletUser</role-name> <action-name>view</action-name> </policy-permission> </security-constraint> </instance> </deployment> the portlet instance will not show up. If you use the User-role instead, it works correctly. However, if I do a request.isUserInRole("PortletUser") in the portlet itself, it will always show up as expected. Fact 2: Additionally, it seems the portlet-instances.xml- security check also makes use of the org.jboss.portal.identity.auth.UserPrincipal. I wrote a custom loginmodule and added the "User"-role using my own Principal-class. Again, the portlet instance doesn't show up with my custom loginmodule. If I check it using request.isUserInRole("User"), it shows up correctly. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira