portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From j...@apache.org
Subject [jira] Commented: (JS2-22) Security Feature Missing: Implement declarative security
Date Wed, 19 May 2004 13:15:01 GMT
The following comment has been added to this issue:

     Author: Ate Douma
    Created: Wed, 19 May 2004 6:13 AM
I've complete phase 2.
PortletRequest.isUserInRole(roleName) (and HttpServletRequest.isUserInRole(roleName) gives
the correct answer conforming to the specs.
As a test I've created the RoleSecurityTest portlet to show all this.

As far as I can see the requirements for declaritive portlet security are implemented now.
Of course, the portal should probably do something with this (like not allowing access to
a portlet when a logged on user has none of the required roles) but that was not the point
of this new feature.
David, could you please review if my implementation is according to the specs (PLT.20) in
regards to declaritive role security and close this issue if you find it resolved?


View this comment:

View the issue:

Here is an overview of the issue:
        Key: JS2-22
    Summary: Security Feature Missing: Implement declarative security
       Type: New Feature

     Status: Unassigned
   Priority: Major

    Project: Jetspeed 2
   Fix Fors:

   Reporter: David Le Strat

    Created: Mon, 26 Apr 2004 9:16 AM
    Updated: Wed, 19 May 2004 6:13 AM

As far as I have understood the portlet specification (PLT.20) security must be supported
like it is specified in Servlet 2.3 specification SRV12.

In particular, programmic security through Request.isUserInRole(RoleName) must be supported(PLT.20.3).

Role restrictions for one or more portlets can be defined in 
portlet.xml as a role reference to a security role defined in web.xml.
Therefore, to be able to perform isUserInRole(RoleName)  for an 
authenticated user the portlet container has to lookup the real role name as defined in web.xml
as referenced by the RoleName
defined in portlet.xml. The already implemented RoleManager.isUserInRole(username,rolename)
can then be used to resolve the question.
This part is currently fully absent. Once this would be available the
full role based security would be almost trivial to implement I think.

Looking at the deployer implementation parsed portlet.xml security 
definitions are not used yet and the web.xml isn't really parsed at all.

This message is automatically generated by JIRA.

If you think it was sent incorrectly contact one of the administrators:

If you want more information on JIRA, or have a bug to report see:

To unsubscribe, e-mail: jetspeed-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: jetspeed-dev-help@jakarta.apache.org

View raw message