[jboss-user] [JBoss Portal] - Declarative Security and Portlets
do-not-reply at jboss.com
Thu Feb 22 08:34:53 EST 2007
I just would like to discuss an issue about the portlet specification and security.
Reading the portlet spec again and again there is one issue that I do not really understand:
The chapter "PLT.20.2 Roles" states:
anonymous wrote : The Portlet Specification shares the same definition as roles of the Servlet Specification
| 2.3, SRV.12.4 Section.
Reading the servlet spec it states:
anonymous wrote : A servlet container enforces declarative or programmatic security for the principal associated with an incoming request based on the security attributes of the principal.
So what is meant by this:
Should the portlet container secure access to a portlet by means of declarative security.
How can this be done? Is this a configuration in the web.xml file.
The portlet spec also stated "PLT.3 Relationship with the Servlet Specification"
anonymous wrote : Portlets are not directly bound to a URL
So how can there be a security-constraint in the web.xml without defined url.
Reading JBoss doc I got the impression that securing a portlet is
a portlet container related task (and is be done in the admin portlet,
or in jboss portal proprietary deployment descriptor).
Than I come to a next point. When accessing a portlet from remote via
WSRP how can than the portlet be secured. Currently I do not see a declarative mean.
If no declarative security can be used, is it really meant, that a portlet developer should always use programmatic security (isUserInRole)
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4020559#4020559
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4020559
More information about the jboss-user