[jboss-user] [JBoss Portal] - security-constraints not working at the page level (*-object
joe_the_quick
do-not-reply at jboss.com
Mon Nov 12 17:57:36 EST 2007
hi there,
If I add the Authenticated-role to a page (using Jboss Portal 2.6.2 GA), it seems to simply get ignored:
test-object.xml:
<?xml version="1.0" encoding="UTF-8"?>
<if-exists>overwrite</if-exists>
<parent-ref>default</parent-ref>
<page-name>HelloWorld</page-name>
<window-name>HelloWorldPortletWindow</window-name>
<instance-ref>HelloWorldPortletInstance</instance-ref>
center
0
<security-constraint>
<policy-permission>
<role-name>Authenticated</role-name>
<action-name>view</action-name>
</policy-permission>
</security-constraint>
The role is added to portlet.xml and can be verified using request.isUserInRole("Authenticated").
If I add the same role to the portlet-instances.xml, then it works immediately:
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<!DOCTYPE deployments PUBLIC
"-//JBoss Portal//DTD Portlet Instances 2.6//EN"
"http://www.jboss.org/portal/dtd/portlet-instances_2_6.dtd">
<if-exists>overwrite</if-exists>
<instance-id>HelloWorldPortletInstance</instance-id>
<portlet-ref>HelloWorldPortlet</portlet-ref>
<security-constraint>
<policy-permission>
<role-name>Authenticated</role-name>
<action-name>view</action-name>
</policy-permission>
</security-constraint>
Environment info:
Jboss 4.0.5 GA
Jboss Portal 2.6.2 GA
JDK 1.5
Could it be that the page-level security is no longer working with Jboss Portal 2.6.2 GA?
I read in an earlier post, that the unchecked access using "read recursive" has to be disabled from the default-portal, but I believe that the role security should be way stronger than any default configuration.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4103906#4103906
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4103906
More information about the jboss-user
mailing list