[jboss-user] [JBoss Portal] - Re: CMS security not working

sohil.shah@jboss.com do-not-reply at jboss.com
Wed Dec 19 11:05:42 EST 2007 

anonymous wrote : 
  | - do not give any permissions to "Anonymous" role on "/" directory and give it "read" permissions on "default" directory (no permissions are defined on index.html for any role or user) : Access is denied on the /default/index.html of the CMS portlet home page.
  | If "Anonymous" role has read permissions on "/" directory, it works.
  | So "Any Permissions specified explicitly on the CMS Node overrides the policy inherited via recursive propagation" as indicated in 14.2 chapter of portal reference guide is not working ? 
  | 

This is expected behavior. The permissions recurse down the tree, not up the tree. In your case, since you have no access to the '/' node, specifying permissions on '/default', automatically granting permission to access '/' node would be a security hole.

The idea for recursion is, say you give all users access to "/" node. then entire tree will be accessible. But if "/private' needs to be protected to certain users, you specifiy it there in that case, entire cms tree is not fully exposed.

anonymous wrote : 
  | I have defined a role : myRole. And various users but I want to define CMS security only with roles.
  | I have defined the following security on the following directories :
  | For all directories, "Administrators" role has the manage permissions and it is the only one to get it. It has also the read and write permissions everywhere but other roles got them sometimes.
  | "/" is readable by all the roles excepted "Users" and "Anonymous". No more permissions on "/".
  | "/MyTopDirectory" is readable by all the roles excepted "Users" and "Anonymous". No more permissions on "/MyTopDirectory".
  | "/MyTopDirectory/TheUsableDirectory" is readable and writable by "myRole". No more permissions on "/MyTopDirectory/TheManagerDirectory". 
  | 
This setup should work. A similar but simpler setup would be and give this a try to see what you get:

"/" - make readable to all roles including "myRole" except Users and Anonymous
"/MyTopDirectory/TheUsableDirectory" - make readable and writable to "myRole"
 
let me know what you get with this setup.

note: this is essentially the same result you are trying to achieve except its a simpler way to approach it.

hope this helps

thanks

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4114268#4114268

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4114268

More information about the jboss-user mailing list