[jboss-user] [JBoss Portal] - Re: Securing Portlet Modes
Antoine_h
do-not-reply at jboss.com
Wed Mar 21 16:06:14 EDT 2007
yes, interesting feature : mode depending on roles.
but for what I know it is not in the JSR-168
and may be long before you get it in specific vendor feature in jboss portal. (they go quick ! but you seem to need it now...)
to do that in the mean time (1) :
- set the window security to all user
- in the portlet rendering (for the decoration and put the mode icons) : rewrite one of the rendering class, configure it into the layout, configure the window so it use this rendering
- in this class, make the "if user ok", then show the icon of the mode, if not don't show it.
the portlet rendering is the more complicated thing :
- not sure you will have access to what user is calling this window rendering... so look how it works, and how you can get the user Principal, or RemoteUser things from there.
(2) other way, for the portlet decoration rendering
- in the do view, if the mode and user policy say "no edit mode", add a special CSS stylesheet in the header of the page. (specific css for this portlet).
- in the css, set the html tag of the edit mode to "not visible" (or no image...)
- you may play with the definition of css style like #MyPortletContainer #TheEditModeIcon. This to make sure only this portlet window will disable the edit icon
- even if you can't have the (1) solution, you may have to rewrite a rendering class, to adjust the class and id of html tags, so it fit your needs.
well, that's for the rendering
for the security : in the do view, check the user and mode policy, and if it is a forbidden mode, show nothing in the view.
because someone can ask the edit mode with playing with the url directly, (without clicking on the icon).
it is "not quick and dirty"... but you may have what you need, before it is implemented in jboss portal.
also think of the cache stuff : if not logged, the user get the window with no edit mode. then he log as admin : the cached window will show without the icon... not good for the admin.
I am quite shure the cache process does not check this kind of situation.
to invalidate the cache of all portlets when logged, see some previous posts...
or put this portlet with no cache, if you can afford it with cpu.
hope that helps... and there are no other trouble in the way that I did not see...
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4030364#4030364
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4030364
More information about the jboss-user
mailing list