[jboss-jira] [JBoss JIRA] Resolved: (JBPORTAL-1740) cms admin portlet checks for hardcoded role named 'admin'
Sohil Shah (JIRA)
jira-events at lists.jboss.org
Tue Nov 27 18:08:50 EST 2007
[ http://jira.jboss.com/jira/browse/JBPORTAL-1740?page=all ]
Sohil Shah resolved JBPORTAL-1740.
----------------------------------
Resolution: Done
The following two aspects of CMS security and now made configurable:
1/ Ability to configure the CMS super user instead of the built-in admin user. This can be achieved by the configuration inside the portal-cms.sar/META-INF/jboss-service.xml.
<mbean
code="org.jboss.portal.cms.security.AuthorizationProviderImpl"
name="portal:service=AuthorizationProvider,type=cms"
xmbean-dd=""
xmbean-code="org.jboss.portal.jems.as.system.JBossServiceModelMBean">
<xmbean/>
<!--
NOTE: cmsRootUserName denotes a single Portal user that has access to everything in the CMS. Denote this user
carefully and should be synonymous to the 'root' user in a Unix system. By default: this value is the built-in
'admin' user account. This can be changed to any other user account registered in your Portal
-->
<attribute name="CmsRootUserName">admin</attribute>
<depends optional-attribute-name="IdentityServiceController" proxy-type="attribute">portal:service=Module,type=IdentityServiceController</depends>
</mbean>
2/ The Portal Role that has access to the CMS Security Console for setting up the permissions on the CMS nodes can now be specified in the following file:
jboss-portal.sar/conf/identity/standardidentity-config.xml
<!--Common options section-->
<option-group>
<group-name>common</group-name>
<option>
<name>userCtxDN</name>
<value>ou=People,dc=example,dc=com</value>
</option>
<option>
<name>uidAttributeID</name>
<value>uid</value>
</option>
<option>
<name>passwordAttributeID</name>
<value>userPassword</value>
</option>
<option>
<name>roleCtxDN</name>
<value>ou=Roles,dc=example,dc=com</value>
</option>
<option>
<name>ridAttributeId</name>
<value>cn</value>
</option>
<option>
<name>roleDisplayNameAttributeID</name>
<value>cn</value>
</option>
<option>
<name>membershipAttributeID</name>
<value>member</value>
</option>
<option>
<name>membershipAttributeIsDN</name>
<value>true</value>
</option>
<!-- NOTE: defaultAdminRole is a required option -->
<option>
<name>defaultAdminRole</name>
<value>Admin</value>
</option>
</option-group>
> cms admin portlet checks for hardcoded role named 'admin'
> ---------------------------------------------------------
>
> Key: JBPORTAL-1740
> URL: http://jira.jboss.com/jira/browse/JBPORTAL-1740
> Project: JBoss Portal
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: Portal CMS
> Affects Versions: 2.6.2 Final
> Reporter: Tobias Roth
> Assigned To: Sohil Shah
>
> See also http://jira.jboss.com/jira/browse/JBPORTAL-1646
> I found another hardcoded use of 'admin'. The effect of having this is that even with the change I described above, permissions of cms nodes cannot be changed by users that are not in role called 'admin'.
> Why does the security console need to have separate access rights? Aren't the access rights for the CMS admin console enough?
> In core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java:
> private boolean isSecurityConsoleAccessible(PortletRequest portletRequest)
> {
> try
> {
> boolean isAccessible = false;
> if (portletRequest.getUserPrincipal() != null)
> {
> User user = this.userModule.findUserByUserName(portletRequest.getUserPrincipal().getName());
> Set roles = this.membershipModule.getRoles(user);
> if (roles != null)
> {
> for (Iterator itr = roles.iterator(); itr.hasNext();)
> {
> Role role = (Role)itr.next();
> if (role.getName().equalsIgnoreCase("admin"))
> {
> isAccessible = true;
> break;
> }
> }
> }
> }
> return isAccessible;
> }
> catch (Exception e)
> {
> return false;
> }
> }
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list