portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Weaver, Scott" <Swea...@rippe.com>
Subject RE: Possible security bug with portlet default security.
Date Thu, 03 Apr 2003 20:21:37 GMT
> Can you open a Bugzilla issue for this so we can track
> this change?

Sure, just wanted to do a sanity check before I opened a bug.  I think a configuration property
like "strict.portlet.security" that could be turned on and off may do the trick.  However,
we may want to research it more.

*===================================*
* Scott T Weaver                    *
* Jakarta Jetspeed Portal Project   *
* weaver@apache.org                 *
*===================================*
  


> -----Original Message-----
> From: Mark Orciuch [mailto:mark_orciuch@ngsltd.com]
> Sent: Thursday, April 03, 2003 3:05 PM
> To: Jetspeed Developers List
> Subject: RE: Possible security bug with portlet default security.
> 
> Scott,
> 
> > When adding a portlet through the customizer, it's security ref
> > is set to the " services.PortalToolkit.default.user.security.ref"
> > value in JS.props.
> >
> > Is this correct?
> >
> > I can see this for portlet sets but not for individual portlets
> > that may have tighter restriction set at the registry level.  I
> > vote that this logic be removed as it can give a user more access
> > then what was intended.
> >
> 
> I see your point. The default user security ref is 'owner-only' so if
> registry-level security for a portlet is more restrictive, 'owner-only'
> would override it. I still think that default security ref is a useful
> feature. My vote would be to not set default security ref if registry-
> level
> constraint exists. Can you open a Bugzilla issue for this so we can track
> this change?
> 
> Best regards,
> 
> Mark Orciuch - morciuch@apache.org
> Jakarta Jetspeed - Enterprise Portal in Java
> http://jakarta.apache.org/jetspeed/
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: jetspeed-dev-help@jakarta.apache.org

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message