portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Randy Watler <rwat...@finali.com>
Subject 11/18 Security/Misc Patch
Date Fri, 19 Nov 2004 16:17:12 GMT

FYI, here is a quick summary of what David reviewed and committed for me
yesterday. As usual, feel free to ask any questions that come to mind!



To test:

1. When you start the portal, you should see only the default page and
   additional links, (no customizer buttons)
2. Login as user: you should see everything as before except the
   testsuite page and the Administrative sub directory, (customizer
   buttons only visible on user pages)
3. Login as manager: everything should be be visible except the
   testsuite page, (no customizer buttons)
4. Login as jetspeed: everything should be visible, (no customizer 
5. Login as admin: everything should be visible, (full customizer


- Both permissions, (JAAS), and constraints, (J1 style), are enabled,
(in assembly/page-manaager.xml on the CastorXmlPageManager init)
- Both are configured to secure the same entities, except the testsuite
page access is specified only in the constraints.
- The permissions are configured in the 4 populate-userinfo sql scripts.
- The constraints are set up in WEB-INF/pages:

In addition to the core Security functionality, the following "bonus"
changes are in this patch:

- Corrected various page document tags to use lower-dash case instead of
  lowerCamel case.
- Removed security checks from PageAggregator.
- Deprecated ACL members from page documents and usage in
- Removed logging from FolderPermission in commons.
- Added 403 returns in ProfilerValveImpl for SecurityExceptions
- Added short-title support to pages, (see nested-layout.psml), and
- Cleaned up SecurityValveImpl to ensure RequestContext Subject is
  propagated using Subject.doAsPrivileged().
- Added groups to user and jetspeed logins to use for testing purposes.
- Added code in JPT that uses page.checkAccess() to limit customizer
  page actions.
- Added rollovers for full title display in tigris and jetspeed page
  layout decorators/templates.

Things that remain to be done:

- Implement view/edit action checks in PageManager for
  get/new/update/remove APIs.

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message