portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From j...@apache.org
Subject [jira] Commented: (JS2-22) Security Feature Missing: Implement declarative security
Date Tue, 11 May 2004 21:28:56 GMT
The following comment has been added to this issue:

     Author: Ate Douma
    Created: Tue, 11 May 2004 2:28 PM
Status update:

I've complete phase 1 as described above. The changes have been committed to cvs and I've
already started with phase 2.

With phase 2 I will deliver the implementation of PortletRequest.isUserInRole(roleName) which
should work with the default Tomcat Memory realm (authentication against its tomcat-users.xml

The proper JAAS based authentication with the already working J2 RdbmsLoginModule can then
be activated to get the real authentication and autorisation functionality. But that'll be
a different issue.


View this comment:

View the issue:

Here is an overview of the issue:
        Key: JS2-22
    Summary: Security Feature Missing: Implement declarative security
       Type: New Feature

     Status: Unassigned
   Priority: Major

    Project: Jetspeed 2
   Fix Fors:

   Reporter: David Le Strat

    Created: Mon, 26 Apr 2004 9:16 AM
    Updated: Tue, 11 May 2004 2:28 PM

As far as I have understood the portlet specification (PLT.20) security must be supported
like it is specified in Servlet 2.3 specification SRV12.

In particular, programmic security through Request.isUserInRole(RoleName) must be supported(PLT.20.3).

Role restrictions for one or more portlets can be defined in 
portlet.xml as a role reference to a security role defined in web.xml.
Therefore, to be able to perform isUserInRole(RoleName)  for an 
authenticated user the portlet container has to lookup the real role name as defined in web.xml
as referenced by the RoleName
defined in portlet.xml. The already implemented RoleManager.isUserInRole(username,rolename)
can then be used to resolve the question.
This part is currently fully absent. Once this would be available the
full role based security would be almost trivial to implement I think.

Looking at the deployer implementation parsed portlet.xml security 
definitions are not used yet and the web.xml isn't really parsed at all.

This message is automatically generated by JIRA.

If you think it was sent incorrectly contact one of the administrators:

If you want more information on JIRA, or have a bug to report see:

To unsubscribe, e-mail: jetspeed-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: jetspeed-dev-help@jakarta.apache.org

View raw message