portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ate Douma" <...@douma.nu>
Subject Re: J2 Customizer Issues
Date Mon, 22 Nov 2004 15:34:35 GMT
Randy Watler said:
> David,

Is a message missing from the list or did you get a message from 'David'

> I have done some significant cleanup in the PageManager and the Customizer
> updates seem to be working for me at this point. I think it is safe to say
> that the CastorXmlPageManager version out there now is causing at least
> some
> of the problems you are encountering. Will have a patch in the morning at
> some point.

I'd like to add another problem I encountered. Because the guest user now is
a proper user, we should think of some way to disallow login to this user
as it is meant to be used as buildin/internal user only.

A simple solution to that would be setting the user is_enabled flag to
false, but that still leaves the possibility someone enables it again
through the UserManager.

I personally would like to see a stronger protection against login of this
user. This could be done by adding one more boolean attribute to the
security_credential table (like is_buildin) or a hardcoded check in the
UserManager.authenticate against the anonymous username. This name
(default 'guest') is now managed by the Profiler though, so maybe we
should move it to the UserManager then.

Another issue: the security rules on the Administrative folder won't allow
a non-admin user to change its password. I will move the
change-password.psml into the root folder to fix this.

If time permits, I will also check in tonight the second part of my
JS2-151 issue containing enforced password change on first login. This
includes automatic navigation to the Change Password psml with no way to
navigate from it until the password is changed (logoff is still a way out
Also included is a configurable set of days before password expiration
when a user will be asked to change its password. The last day before
expiration will require the password to be changed.

These features are currently *not* (longer) working though as result of the
new 'guest' user configuration which now *also* is required to change its
password, even if this user isn't logged on at all.
Kinda blocking problem :(
I need this handled before I will check in my changes.



> As I replied earlier, the security settings on "/" are preventing you from
> viewing the root folder back link after decending into the Public folder.
> It
> is possible to define the access permissions on a folder to be the union
> of
> all of its children's access permissions, but that seems like it might be
> too computationally intense to be worth it. I don't know what is best. For
> now, you can propagate the current constraints in "/" folder.metadata to
> its
> children and open the permissions on the "/" folder itself to allow guest
> access.
> I am currently having issues with the SiteBrowserPortlet: it apparently
> does
> not set the JAAS subject before it accesses the PageManager. Since the
> access is now checked in the PageManager and Folder access methods, it is
> getting SecurityExceptions. I have just started looking into this, but am
> taking a break until morning.
> Talk to you then,
> Randy

To unsubscribe, e-mail: jetspeed-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: jetspeed-dev-help@jakarta.apache.org

View raw message