portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From j...@apache.org
Subject [jira] Commented: (JS2-22) Security Feature Missing: Implement declarative security
Date Thu, 06 May 2004 12:43:56 GMT
The following comment has been added to this issue:

     Author: Ate Douma
    Created: Thu, 6 May 2004 5:43 AM
       Body:
David,

I like to take a plunge into implementing this.
I don't know if you already put some effort into this and wouldn't want to redo something
you already may have put some time in.

After reviewing the current situation I've come to the following first steps needed to be
done (phase 1):
1. Define a proper web.xml parsing based on the Digester and get all its elements loaded.
2. Adjust the current simple web.xml parsing to use the new model. 
3. Determine which elements are required to be stored in the registry (maybe all, maybe just
fragments like role refs)
4. Update the persistent registry model to be able to store the required elements of the web.xml.

After this, phase 2 can be defined which should deliver the actual implementation of request.isUserInRole(Name).


For now I would start out with the steps of phase 1 only.

Any comments are appreciated. If nobody objects or has some other idea's I like to start with
this as soon as possible.

I will start with some preliminary investigation of the pluto implementation of this right
away.
---------------------------------------------------------------------
View this comment:
  http://issues.apache.org/jira/browse/JS2-22?page=comments#action_35431

---------------------------------------------------------------------
View the issue:
  http://issues.apache.org/jira/browse/JS2-22

Here is an overview of the issue:
---------------------------------------------------------------------
        Key: JS2-22
    Summary: Security Feature Missing: Implement declarative security
       Type: New Feature

     Status: Unassigned
   Priority: Major

    Project: Jetspeed 2
 Components: 
             Security
   Fix Fors:
             2.0-a1
   Versions:
             2.0-a1

   Assignee: 
   Reporter: David Le Strat

    Created: Mon, 26 Apr 2004 9:16 AM
    Updated: Thu, 6 May 2004 5:43 AM

Description:
As far as I have understood the portlet specification (PLT.20) security must be supported
like it is specified in Servlet 2.3 specification SRV12.

In particular, programmic security through Request.isUserInRole(RoleName) must be supported(PLT.20.3).

Role restrictions for one or more portlets can be defined in 
portlet.xml as a role reference to a security role defined in web.xml.
Therefore, to be able to perform isUserInRole(RoleName)  for an 
authenticated user the portlet container has to lookup the real role name as defined in web.xml
as referenced by the RoleName
defined in portlet.xml. The already implemented RoleManager.isUserInRole(username,rolename)
can then be used to resolve the question.
This part is currently fully absent. Once this would be available the
full role based security would be almost trivial to implement I think.

Looking at the deployer implementation parsed portlet.xml security 
definitions are not used yet and the web.xml isn't really parsed at all.



---------------------------------------------------------------------
JIRA INFORMATION:
This message is automatically generated by JIRA.

If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa

If you want more information on JIRA, or have a bug to report see:
   http://www.atlassian.com/software/jira


---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: jetspeed-dev-help@jakarta.apache.org


Mime
View raw message