Author: sohil.shah(a)jboss.com
Date: 2007-11-28 02:59:55 -0500 (Wed, 28 Nov 2007)
New Revision: 9149
Modified:
docs/branches/JBoss_Portal_Branch_2_6/referenceGuide/en/modules/security.xml
Log:
updated cms security documentation
Modified: docs/branches/JBoss_Portal_Branch_2_6/referenceGuide/en/modules/security.xml
===================================================================
---
docs/branches/JBoss_Portal_Branch_2_6/referenceGuide/en/modules/security.xml 2007-11-28
07:58:20 UTC (rev 9148)
+++
docs/branches/JBoss_Portal_Branch_2_6/referenceGuide/en/modules/security.xml 2007-11-28
07:59:55 UTC (rev 9149)
@@ -184,105 +184,123 @@
The configuration for the CMS Security service is specified in the
<literal>jboss-portal.sar/portal-cms.sar/META-INF/jboss-service.xml</literal>
file. The portion of the configuration relevant for securing the CMS
service is listed as follows:
- <programlisting><![CDATA[<!-- interceptor factory where all cms
interceptors are registered -->
-<mbean
- code="org.jboss.portal.server.impl.invocation.JBossInterceptorStackFactory"
- name="portal:service=InterceptorStackFactory,type=Cms" xmbean-dd=""
- xmbean-code="org.jboss.portal.jems.as.system.JBossServiceModelMBean">
- <xmbean />
- <depends-list optional-attribute-name="InterceptorNames">
- <depends-list-element>
- portal:service=Interceptor,type=Cms,name=ACL
- </depends-list-element>
- <depends-list-element>
- portal:service=Interceptor,type=Cms,name=ApprovalWorkflow
- </depends-list-element>
- </depends-list>
-</mbean>
-
-<!-- CMS Authorization Security Service -->
-<mbean code="org.jboss.portal.cms.security.AuthorizationManagerImpl"
- name="portal:service=AuthorizationManager,type=cms" xmbean-dd=""
- xmbean-code="org.jboss.portal.jems.as.system.JBossServiceModelMBean">
- <xmbean />
- <attribute name="JNDIName">
- java:portal/cms/AuthorizationManager
- </attribute>
- <depends optional-attribute-name="Provider"
- proxy-type="attribute">
- portal:service=AuthorizationProvider,type=cms
- </depends>
-</mbean>
-<mbean code="org.jboss.portal.cms.security.AuthorizationProviderImpl"
- name="portal:service=AuthorizationProvider,type=cms" xmbean-dd=""
- xmbean-code="org.jboss.portal.jems.as.system.JBossServiceModelMBean">
- <xmbean />
- <depends optional-attribute-name="IdentityServiceController"
- proxy-type="attribute">
- portal:service=Module,type=IdentityServiceController
- </depends>
-</mbean>
-
-<!-- ACL Security Interceptor -->
-<mbean code="org.jboss.portal.cms.impl.interceptors.ACLInterceptor"
- name="portal:service=Interceptor,type=Cms,name=ACL" xmbean-dd=""
- xmbean-code="org.jboss.portal.jems.as.system.JBossServiceModelMBean">
- <xmbean />
- <attribute name="JNDIName">
- java:/portal/cms/ACLInterceptor
- </attribute>
- <attribute name="CmsSessionFactory">
- java:/portal/cms/CMSSessionFactory
- </attribute>
- <attribute name="IdentitySessionFactory">
- java:/portal/IdentitySessionFactory
- </attribute>
- <attribute name="DefaultPolicy">
- <policy>
- <!-- permissions on the root cms node -->
- <criteria name="path" value="/">
- <permission name="cms" action="read">
- <role name="Anonymous" />
- </permission>
- <permission name="cms" action="write">
- <role name="User" />
- </permission>
- <permission name="cms" action="manage">
- <role name="Admin" />
- </permission>
- </criteria>
- <!-- permissions on the default cms node -->
- <criteria name="path" value="/default">
- <permission name="cms" action="read">
- <role name="Anonymous" />
- </permission>
- <permission name="cms" action="write">
- <role name="User" />
- </permission>
- <permission name="cms" action="manage">
- <role name="Admin" />
- </permission>
- </criteria>
- <!-- permissions on the private/protected node -->
- <criteria name="path" value="/default/private">
- <permission name="cms" action="manage">
- <role name="Admin" />
- </permission>
- </criteria>
- </policy>
- </attribute>
- <depends optional-attribute-name="AuthorizationManager"
- proxy-type="attribute">
- portal:service=AuthorizationManager,type=cms
- </depends>
- <depends>portal:service=Hibernate,type=CMS</depends>
- <depends>
- portal:service=Module,type=IdentityServiceController
- </depends>
-</mbean>]]>
- </programlisting>
+ <programlisting>
+ <![CDATA[
+ <!-- CMS Authorization Security Service -->
+ <mbean
+ code="org.jboss.portal.cms.security.AuthorizationManagerImpl"
+ name="portal:service=AuthorizationManager,type=cms"
+ xmbean-dd=""
+
xmbean-code="org.jboss.portal.jems.as.system.JBossServiceModelMBean">
+ <xmbean/>
+ <attribute
name="JNDIName">java:portal/cms/AuthorizationManager</attribute>
+ <depends optional-attribute-name="Provider"
proxy-type="attribute">
+ portal:service=AuthorizationProvider,type=cms
+ </depends>
+ </mbean>
+ <mbean
+ code="org.jboss.portal.cms.security.AuthorizationProviderImpl"
+ name="portal:service=AuthorizationProvider,type=cms"
+ xmbean-dd=""
+
xmbean-code="org.jboss.portal.jems.as.system.JBossServiceModelMBean">
+ <xmbean/>
+ <!--
+ NOTE: cmsRootUserName denotes a single Portal user that has access to
everything in the CMS. Denote this user
+ carefully and should be synonymous to the 'root' user in a Unix system.
By default: this value is the built-in
+ 'admin' user account. This can be changed to any other user account
registered in your Portal
+ -->
+ <attribute name="CmsRootUserName">admin</attribute>
+ <depends optional-attribute-name="IdentityServiceController"
proxy-type="attribute">portal:service=Module,type=IdentityServiceController</depends>
+ </mbean>
+ <!-- ACL Security Interceptor -->
+ <mbean
+ code="org.jboss.portal.cms.impl.interceptors.ACLInterceptor"
+ name="portal:service=Interceptor,type=Cms,name=ACL"
+ xmbean-dd=""
+
xmbean-code="org.jboss.portal.jems.as.system.JBossServiceModelMBean">
+ <xmbean/>
+ <attribute
name="JNDIName">java:/portal/cms/ACLInterceptor</attribute>
+ <attribute
name="CmsSessionFactory">java:/portal/cms/CMSSessionFactory</attribute>
+ <attribute
name="IdentitySessionFactory">java:/portal/IdentitySessionFactory</attribute>
+ <attribute name="DefaultPolicy">
+ <policy>
+ <!-- permissions on the root cms node -->
+ <criteria name="path" value="/">
+ <permission name="cms" action="read">
+ <role name="Anonymous"/>
+ </permission>
+ <permission name="cms" action="write">
+ <role name="User"/>
+ </permission>
+ <permission name="cms" action="manage">
+ <role name="Admin"/>
+ </permission>
+ </criteria>
+ <!-- permissions on the default cms node -->
+ <criteria name="path" value="/default">
+ <permission name="cms" action="read">
+ <role name="Anonymous"/>
+ </permission>
+ <permission name="cms" action="write">
+ <role name="User"/>
+ </permission>
+ <permission name="cms" action="manage">
+ <role name="Admin"/>
+ </permission>
+ </criteria>
+ <!-- permissions on the private/protected node -->
+ <criteria name="path" value="/default/private">
+ <permission name="cms" action="manage">
+ <role name="Admin"/>
+ </permission>
+ </criteria>
+ </policy>
+ </attribute>
+ <depends optional-attribute-name="AuthorizationManager"
proxy-type="attribute">
+ portal:service=AuthorizationManager,type=cms
+ </depends>
+ <depends>portal:service=Hibernate,type=CMS</depends>
+
<depends>portal:service=Module,type=IdentityServiceController</depends>
+ </mbean>]]>
+ </programlisting>
</para>
- </sect2>
+ <sect3 id="security.security_cms_configuration_superuser">
+ <title>CMS Super User</title>
+ <para>
+ A CMS Super User is a designated Portal User Account that has access to all
resources/functions in the CMS. It is a concept similar to the
+ super user concept in a Linux/Unix security system. This account should be
carefully used and properly protected. By default, JBoss Portal designates the
+ built-in 'admin' user account as a CMS Super User. This can be changed
by modifying the <emphasis>cmsRootUserName</emphasis> value in the
+
<literal>jboss-portal.sar/portal-cms.sar/META-INF/jboss-service.xml</literal>
configuration.
+ <programlisting>
+ <![CDATA[
+ <mbean
+ code="org.jboss.portal.cms.security.AuthorizationProviderImpl"
+ name="portal:service=AuthorizationProvider,type=cms"
+ xmbean-dd=""
+
xmbean-code="org.jboss.portal.jems.as.system.JBossServiceModelMBean">
+ <xmbean/>
+ <!--
+ NOTE: cmsRootUserName denotes a single Portal user that has access to
everything in the CMS. Denote this user
+ carefully and should be synonymous to the 'root' user in a Unix system.
By default: this value is the built-in
+ 'admin' user account. This can be changed to any other user account
registered in your Portal
+ -->
+ <attribute name="CmsRootUserName">admin</attribute>
+ <depends optional-attribute-name="IdentityServiceController"
proxy-type="attribute">portal:service=Module,type=IdentityServiceController</depends>
+ </mbean>
+ ]]>
+ </programlisting>
+ </para>
+ </sect3>
+ <sect3 id="security.security_cms_configuration_securityconsole">
+ <title>CMS Security Console</title>
+ <para>
+ The CMS Security Console is used to assign proper permissions to all the
nodes/content in the CMS. Besides protection on CMS content, this console itself
+ needs to be secured against unauthorized acceess. Currently, the console can be
accessed only by Portal users that are members of the specified Role. By default,
+ JBoss Portal uses the built-in <emphasis>Admin</emphasis> role to
allow access to this security console. This can be customized by modifying the value of
+ <emphasis>defaultAdminRole</emphasis> option specified in
<literal>jboss-portal.sar/conf/identity/standardidentity-config.xml</literal>
+ </para>
+ </sect3>
+ </sect2>
</sect1>
<sect1 id="security.security_authentication">