portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From tay...@apache.org
Subject svn commit: r501661 - in /portals/jetspeed-2/trunk: components/page-manager/src/java/org/apache/jetspeed/page/ components/page-manager/src/java/org/apache/jetspeed/page/impl/ components/page-manager/src/java/org/apache/jetspeed/page/psml/ components/po...
Date Wed, 31 Jan 2007 00:44:13 GMT
Author: taylor
Date: Tue Jan 30 16:44:12 2007
New Revision: 501661

URL: http://svn.apache.org/viewvc?view=rev&rev=501661
Log:
https://issues.apache.org/jira/browse/JS2-645

Portlet Security constraints via the jetspeed-portlet.xml
This completes the main development

I have identified another related task as a side-effect of this feature:
we can now make the Security Permissions completely optional and configurable
This means that all Security checks can run thru the constraints --or--
all Security checks can run thru permissions
Running all checks through constraints can be useful if you don't want to use a Java Security
policy

I am now going to update the portlet selectors to optionally use either permission checks
/ constraint checks based on configuration


Added:
    portals/jetspeed-2/trunk/components/page-manager/src/java/org/apache/jetspeed/page/PageManagerSecurityUtils.java
Modified:
    portals/jetspeed-2/trunk/components/page-manager/src/java/org/apache/jetspeed/page/DelegatingPageManager.java
    portals/jetspeed-2/trunk/components/page-manager/src/java/org/apache/jetspeed/page/impl/DatabasePageManager.java
    portals/jetspeed-2/trunk/components/page-manager/src/java/org/apache/jetspeed/page/psml/CastorXmlPageManager.java
    portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/aggregator/impl/PortletRendererImpl.java
    portals/jetspeed-2/trunk/jetspeed-api/src/java/org/apache/jetspeed/page/PageManager.java
    portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/aggregation.xml

Modified: portals/jetspeed-2/trunk/components/page-manager/src/java/org/apache/jetspeed/page/DelegatingPageManager.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/trunk/components/page-manager/src/java/org/apache/jetspeed/page/DelegatingPageManager.java?view=diff&rev=501661&r1=501660&r2=501661
==============================================================================
--- portals/jetspeed-2/trunk/components/page-manager/src/java/org/apache/jetspeed/page/DelegatingPageManager.java
(original)
+++ portals/jetspeed-2/trunk/components/page-manager/src/java/org/apache/jetspeed/page/DelegatingPageManager.java
Tue Jan 30 16:44:12 2007
@@ -89,6 +89,11 @@
         return null;
     }
 
+    public boolean checkConstraint(String securityConstraintName, String actions)
+    {
+        return false;
+    }
+    
     /* (non-Javadoc)
      * @see org.apache.jetspeed.page.PageManager#getFolder(java.lang.String)
      */

Added: portals/jetspeed-2/trunk/components/page-manager/src/java/org/apache/jetspeed/page/PageManagerSecurityUtils.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/trunk/components/page-manager/src/java/org/apache/jetspeed/page/PageManagerSecurityUtils.java?view=auto&rev=501661
==============================================================================
--- portals/jetspeed-2/trunk/components/page-manager/src/java/org/apache/jetspeed/page/PageManagerSecurityUtils.java
(added)
+++ portals/jetspeed-2/trunk/components/page-manager/src/java/org/apache/jetspeed/page/PageManagerSecurityUtils.java
Tue Jan 30 16:44:12 2007
@@ -0,0 +1,210 @@
+/*
+ * Copyright 2000-2004 The Apache Software Foundation.
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jetspeed.page;
+
+import java.security.AccessController;
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.Iterator;
+import java.util.LinkedList;
+import java.util.List;
+
+import javax.security.auth.Subject;
+
+import org.apache.jetspeed.JetspeedActions;
+import org.apache.jetspeed.om.page.SecurityConstraintImpl;
+import org.apache.jetspeed.om.page.SecurityConstraintsDef;
+import org.apache.jetspeed.page.document.DocumentException;
+import org.apache.jetspeed.security.GroupPrincipal;
+import org.apache.jetspeed.security.JSSubject;
+import org.apache.jetspeed.security.RolePrincipal;
+import org.apache.jetspeed.security.UserPrincipal;
+
+
+/**
+ * PageManagerUtils
+ * 
+ * @author <a href="mailto:taylor@apache.org">David Sean Taylor</a>
+ * @version $Id: $
+ */
+public class PageManagerSecurityUtils
+{
+    public static boolean checkConstraint(SecurityConstraintsDef def, String actions)
+    throws DocumentException
+    {
+        List viewActionList = SecurityConstraintImpl.parseCSVList(actions);
+        List otherActionsList = null;
+        if (viewActionList.size() == 1)
+        {
+            if (!viewActionList.contains(JetspeedActions.VIEW))
+            {
+                otherActionsList = viewActionList;
+                viewActionList = null;
+            }
+        }
+        else
+        {
+            otherActionsList = viewActionList;
+            viewActionList = null;
+            if (otherActionsList.remove(JetspeedActions.VIEW))
+            {
+                viewActionList = new ArrayList(1);
+                viewActionList.add(JetspeedActions.VIEW);
+            }
+        }
+
+        // get current request context subject
+        Subject subject = JSSubject.getSubject(AccessController.getContext());
+        if (subject == null)
+        {
+            throw new SecurityException("Security Consraint Check: Missing JSSubject");
+        }
+
+        // get user/group/role principal names
+        List userPrincipals = null;
+        List rolePrincipals = null;
+        List groupPrincipals = null;
+        Iterator principals = subject.getPrincipals().iterator();
+        while (principals.hasNext())
+        {
+            Principal principal = (Principal) principals.next();
+            if (principal instanceof UserPrincipal)
+            {
+                if (userPrincipals == null)
+                {
+                    userPrincipals = new LinkedList();
+                }
+                userPrincipals.add(principal.getName());
+            }
+            else if (principal instanceof RolePrincipal)
+            {
+                if (rolePrincipals == null)
+                {
+                    rolePrincipals = new LinkedList();
+                }
+                rolePrincipals.add(principal.getName());
+            }
+            else if (principal instanceof GroupPrincipal)
+            {
+                if (groupPrincipals == null)
+                {
+                    groupPrincipals = new LinkedList();
+                }
+                groupPrincipals.add(principal.getName());
+            }
+        }
+        
+        boolean result = false;
+        
+        // check constraints using parsed action and access lists
+        if (viewActionList != null)
+        {
+            result = checkConstraints(viewActionList, userPrincipals, rolePrincipals, groupPrincipals,
def);
+        }
+        if (otherActionsList != null)
+        {
+            result = checkConstraints(otherActionsList, userPrincipals, rolePrincipals, groupPrincipals,
def);
+        }
+        return result;
+    }
+    /**
+     * check access for the constraints list of a security constraints definition
+     * 
+     * @param actions given actions
+     * @param userPrincipals set of user principals  
+     * @param rolePrincipals set of role principals
+     * @param groupPrincipals set oof group principals
+     * @param def the security constraint definition 
+     * @throws SecurityException
+     */
+    public static boolean checkConstraints(List actions, List userPrincipals, List rolePrincipals,
List groupPrincipals, SecurityConstraintsDef def) 
+    throws DocumentException
+    {
+        
+        List checkConstraints = def.getSecurityConstraints();
+            // SecurityConstraint c =(SecurityConstraint)constraints.next();
+        // skip missing or empty constraints: permit all access
+        //List checkConstraints = getAllSecurityConstraints(pageSecurity);
+        if ((checkConstraints != null) && !checkConstraints.isEmpty())
+        {
+            // test each action, constraints check passes only
+            // if all actions are permitted for principals
+            Iterator actionsIter = actions.iterator();
+            while (actionsIter.hasNext())
+            {
+                // check each action:
+                // - if any actions explicity permitted, (including owner),
+                //   assume no permissions are permitted by default
+                // - if all constraints do not specify a permission, assume
+                //   access is permitted by default
+                String action = (String)actionsIter.next();
+                boolean actionPermitted = false;
+                boolean actionNotPermitted = false;
+                boolean anyActionsPermitted = true; // TODO:(getOwner() != null);
+                
+                // check against constraints
+                Iterator checkConstraintsIter = checkConstraints.iterator();
+                while (checkConstraintsIter.hasNext())
+                {
+                    SecurityConstraintImpl constraint = (SecurityConstraintImpl)checkConstraintsIter.next();
+                    
+                    // if permissions specified, attempt to match constraint
+                    if (constraint.getPermissions() != null)
+                    {
+                        // explicit actions permitted
+                        anyActionsPermitted = true;
+
+                        // test action permission match and user/role/group principal match
+                        if (constraint.actionMatch(action) &&
+                            constraint.principalsMatch(userPrincipals, rolePrincipals, groupPrincipals,
true))
+                        {
+                            actionPermitted = true;
+                            break;
+                        }
+                    }
+                    else
+                    {
+                        // permissions not specified: not permitted if any principal matched
+                        if (constraint.principalsMatch(userPrincipals, rolePrincipals, groupPrincipals,
false))
+                        {
+                            actionNotPermitted = true;
+                            break;
+                        }
+                    }
+                }
+                
+                // fail if any action not permitted
+                if ((!actionPermitted && anyActionsPermitted) || actionNotPermitted)
+                {
+                    //throw new SecurityException("SecurityConstraintsImpl.checkConstraints():
Access for " + action + " not permitted.");
+                    return false;
+                }
+            }
+        }
+        else
+        {
+            // fail for any action if owner specified
+            // since no other constraints were found
+            if (/*(getOwner() != null) && */ !actions.isEmpty())
+            {
+                //String action = (String)actions.get(0);
+                //throw new SecurityException("SecurityConstraintsImpl.checkConstraints():
Access for " + action + " not permitted, (not owner).");
+                return false;
+            }
+        }
+        return true;
+    }
+}
\ No newline at end of file

Modified: portals/jetspeed-2/trunk/components/page-manager/src/java/org/apache/jetspeed/page/impl/DatabasePageManager.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/trunk/components/page-manager/src/java/org/apache/jetspeed/page/impl/DatabasePageManager.java?view=diff&rev=501661&r1=501660&r2=501661
==============================================================================
--- portals/jetspeed-2/trunk/components/page-manager/src/java/org/apache/jetspeed/page/impl/DatabasePageManager.java
(original)
+++ portals/jetspeed-2/trunk/components/page-manager/src/java/org/apache/jetspeed/page/impl/DatabasePageManager.java
Tue Jan 30 16:44:12 2007
@@ -73,6 +73,7 @@
 import org.apache.jetspeed.page.LinkNotUpdatedException;
 import org.apache.jetspeed.page.PageManager;
 import org.apache.jetspeed.page.PageManagerEventListener;
+import org.apache.jetspeed.page.PageManagerSecurityUtils;
 import org.apache.jetspeed.page.PageManagerUtils;
 import org.apache.jetspeed.page.PageNotFoundException;
 import org.apache.jetspeed.page.PageNotRemovedException;
@@ -554,6 +555,28 @@
         }
     }
 
+    /**
+     * Given a securityConstraintName definition and a set of actions,
+     * run a security constraint checks
+     */
+    public boolean checkConstraint(String securityConstraintName, String actions)
+    {
+        try
+        {
+            PageSecurity security = this.getPageSecurity();
+            SecurityConstraintsDef def = security.getSecurityConstraintsDef(securityConstraintName);
+            if (def != null)
+            {
+                return PageManagerSecurityUtils.checkConstraint(def, actions);
+            }            
+        }
+        catch(Exception e)
+        {
+            e.printStackTrace();
+        }           
+        return false;
+    }
+    
     /* (non-Javadoc)
      * @see org.apache.jetspeed.page.PageManager#getPageSecurity()
      */

Modified: portals/jetspeed-2/trunk/components/page-manager/src/java/org/apache/jetspeed/page/psml/CastorXmlPageManager.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/trunk/components/page-manager/src/java/org/apache/jetspeed/page/psml/CastorXmlPageManager.java?view=diff&rev=501661&r1=501660&r2=501661
==============================================================================
--- portals/jetspeed-2/trunk/components/page-manager/src/java/org/apache/jetspeed/page/psml/CastorXmlPageManager.java
(original)
+++ portals/jetspeed-2/trunk/components/page-manager/src/java/org/apache/jetspeed/page/psml/CastorXmlPageManager.java
Tue Jan 30 16:44:12 2007
@@ -19,7 +19,6 @@
 import java.io.FileNotFoundException;
 import java.util.HashMap;
 import java.util.Iterator;
-import java.util.List;
 import java.util.Map;
 
 import org.apache.commons.logging.Log;
@@ -29,7 +28,6 @@
 import org.apache.jetspeed.cache.file.FileCacheEntry;
 import org.apache.jetspeed.cache.file.FileCacheEventListener;
 import org.apache.jetspeed.idgenerator.IdGenerator;
-import org.apache.jetspeed.om.common.SecuredResource;
 import org.apache.jetspeed.om.folder.Folder;
 import org.apache.jetspeed.om.folder.FolderNotFoundException;
 import org.apache.jetspeed.om.folder.InvalidFolderException;
@@ -46,6 +44,7 @@
 import org.apache.jetspeed.om.page.Page;
 import org.apache.jetspeed.om.page.PageSecurity;
 import org.apache.jetspeed.om.page.SecurityConstraintImpl;
+import org.apache.jetspeed.om.page.SecurityConstraintsDef;
 import org.apache.jetspeed.om.page.psml.FragmentImpl;
 import org.apache.jetspeed.om.page.psml.FragmentPreferenceImpl;
 import org.apache.jetspeed.om.page.psml.LinkImpl;
@@ -53,10 +52,10 @@
 import org.apache.jetspeed.om.page.psml.PageSecurityImpl;
 import org.apache.jetspeed.om.page.psml.SecurityConstraintsDefImpl;
 import org.apache.jetspeed.om.page.psml.SecurityConstraintsImpl;
-import org.apache.jetspeed.om.preference.FragmentPreference;
 import org.apache.jetspeed.page.AbstractPageManager;
 import org.apache.jetspeed.page.FolderNotUpdatedException;
 import org.apache.jetspeed.page.PageManager;
+import org.apache.jetspeed.page.PageManagerSecurityUtils;
 import org.apache.jetspeed.page.PageNotFoundException;
 import org.apache.jetspeed.page.document.DocumentException;
 import org.apache.jetspeed.page.document.DocumentHandlerFactory;
@@ -448,6 +447,24 @@
         }
     }
 
+    public boolean checkConstraint(String securityConstraintName, String actions)
+    {
+        try
+        {
+            PageSecurity security = this.getPageSecurity();
+            SecurityConstraintsDef def = security.getSecurityConstraintsDef(securityConstraintName);
+            if (def != null)
+            {
+                return PageManagerSecurityUtils.checkConstraint(def, actions);
+            }
+        }
+        catch (Exception e)
+        {
+            log.error(e.getMessage(), e);
+        }
+        return false;
+    }
+    
     /**
      * <p>
      * getPageSecurity

Modified: portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/aggregator/impl/PortletRendererImpl.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/aggregator/impl/PortletRendererImpl.java?view=diff&rev=501661&r1=501660&r2=501661
==============================================================================
--- portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/aggregator/impl/PortletRendererImpl.java
(original)
+++ portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/aggregator/impl/PortletRendererImpl.java
Tue Jan 30 16:44:12 2007
@@ -15,10 +15,10 @@
  */
 package org.apache.jetspeed.aggregator.impl;
 
-import java.util.HashMap;
-import java.util.Map;
 import java.util.Collection;
+import java.util.HashMap;
 import java.util.Iterator;
+import java.util.Map;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -30,6 +30,7 @@
 import org.apache.jetspeed.aggregator.ContentDispatcher;
 import org.apache.jetspeed.aggregator.ContentDispatcherCtrl;
 import org.apache.jetspeed.aggregator.FailedToRenderFragmentException;
+import org.apache.jetspeed.aggregator.PortletAccessDeniedException;
 import org.apache.jetspeed.aggregator.PortletContent;
 import org.apache.jetspeed.aggregator.PortletRenderer;
 import org.apache.jetspeed.aggregator.RenderingJob;
@@ -38,16 +39,18 @@
 import org.apache.jetspeed.components.portletentity.PortletEntityNotStoredException;
 import org.apache.jetspeed.container.window.FailedToRetrievePortletWindow;
 import org.apache.jetspeed.container.window.PortletWindowAccessor;
+import org.apache.jetspeed.om.common.LocalizedField;
+import org.apache.jetspeed.om.common.portlet.MutablePortletApplication;
 import org.apache.jetspeed.om.common.portlet.MutablePortletEntity;
 import org.apache.jetspeed.om.common.portlet.PortletDefinitionComposite;
-import org.apache.jetspeed.om.common.GenericMetadata;
-import org.apache.jetspeed.om.common.LocalizedField;
 import org.apache.jetspeed.om.page.ContentFragment;
+import org.apache.jetspeed.page.PageManager;
 import org.apache.jetspeed.request.RequestContext;
 import org.apache.jetspeed.services.title.DynamicTitleService;
 import org.apache.jetspeed.statistics.PortalStatistics;
 import org.apache.pluto.PortletContainer;
 import org.apache.pluto.om.entity.PortletEntity;
+import org.apache.pluto.om.portlet.PortletApplicationDefinition;
 import org.apache.pluto.om.window.PortletWindow;
 
 /**
@@ -70,14 +73,30 @@
     protected PortletWindowAccessor windowAccessor;
     protected PortalStatistics statistics;
     protected DynamicTitleService addTitleService;
-    protected long defaultPortletTimeout;
-
+    /**
+     * when rendering a portlet, the default timeout period in milliseconds
+     * setting to zero will disable (no timeout) the timeout
+     *  
+     */
+    protected long defaultPortletTimeout; 
+    /**
+     *  flag indicating whether to check jetspeed-portlet.xml security constraints 
+     *  before rendering a portlet. If security check fails, do not display portlet content
+     */
+    protected boolean checkSecurityConstraints;   
+    /**
+     * For security constraint checks
+     */
+    protected PageManager pageManager;
+    
     public PortletRendererImpl(PortletContainer container, 
                                PortletWindowAccessor windowAccessor,
                                WorkerMonitor workMonitor,
                                PortalStatistics statistics,
                                DynamicTitleService addTitleService,
-                               long defaultPortletTimeout)
+                               long defaultPortletTimeout,
+                               boolean checkSecurityConstraints,
+                               PageManager pageManager)
     {
         this.container = container;
         this.windowAccessor = windowAccessor;
@@ -85,6 +104,8 @@
         this.statistics = statistics;
         this.addTitleService = addTitleService;
         this.defaultPortletTimeout = defaultPortletTimeout;
+        this.checkSecurityConstraints = checkSecurityConstraints;
+        this.pageManager = pageManager;
     }
 
     public PortletRendererImpl(PortletContainer container, 
@@ -93,7 +114,7 @@
                                PortalStatistics statistics,
                                DynamicTitleService addTitleService)
     {
-        this( container, windowAccessor, workMonitor, statistics, null, 0 );
+        this(container, windowAccessor, workMonitor, statistics, null, 0, false, null);
     }
 
     public PortletRendererImpl(PortletContainer container, 
@@ -144,13 +165,17 @@
             servletRequest = requestContext.getRequestForWindow(portletWindow);
             servletResponse = dispatcherCtrl.getResponseForWindow(portletWindow, requestContext);
 
-            RenderingJob rJob = buildRenderingJob(fragment, servletRequest, servletResponse,
requestContext, false);
+            RenderingJob rJob = buildRenderingJob(portletWindow, fragment, servletRequest,
servletResponse, requestContext, false);
             rJob.execute();
             addTitleToHeader( portletWindow, fragment, servletRequest, servletResponse );
         }
+        catch (PortletAccessDeniedException e)
+        {
+            fragment.overrideRenderedContent(e.getLocalizedMessage());                  
     
+        }        
         catch (Exception e)
         {
-            fragment.overrideRenderedContent(e.toString());
+            fragment.overrideRenderedContent(e.getLocalizedMessage());
             log.error(e.toString(), e);
         }
     }
@@ -178,13 +203,17 @@
             HttpServletRequest servletRequest = requestContext.getRequestForWindow(portletWindow);
             HttpServletResponse servletResponse = dispatcherCtrl.getResponseForWindow(portletWindow,
requestContext);
 
-            RenderingJob rJob = buildRenderingJob(fragment, servletRequest, servletResponse,
requestContext, false);
+            RenderingJob rJob = buildRenderingJob(portletWindow, fragment, servletRequest,
servletResponse, requestContext, false);
             rJob.execute();
             addTitleToHeader( portletWindow, fragment, servletRequest, servletResponse );
         }
+        catch (PortletAccessDeniedException e)
+        {
+            fragment.overrideRenderedContent(e.getLocalizedMessage());                  
     
+        }        
         catch (Exception e)
         {
-            fragment.overrideRenderedContent(e.toString());
+            fragment.overrideRenderedContent(e.getLocalizedMessage());
             log.error(e.toString(), e);
         }
     }
@@ -214,7 +243,7 @@
             portletWindow = getPortletWindow(fragment);
             servletRequest = requestContext.getRequestForWindow(portletWindow);
             servletResponse = dispatcherCtrl.getResponseForWindow(portletWindow, requestContext);
-            rJob = buildRenderingJob(fragment, servletRequest, servletResponse, requestContext,
true);
+            rJob = buildRenderingJob(portletWindow, fragment, servletRequest, servletResponse,
requestContext, true);
 
             if (rJob.getTimeout() > 0) 
             {
@@ -227,14 +256,16 @@
 
             addTitleToHeader( portletWindow, fragment, servletRequest, servletResponse );
         }
+        catch (PortletAccessDeniedException e)
+        {
+            fragment.overrideRenderedContent(e.getLocalizedMessage());                  
     
+        }
         catch (Exception e1)
         {
             servletRequest = requestContext.getRequest();
             servletResponse = dispatcherCtrl.getResponseForFragment(fragment, requestContext);
             log.error("render() failed: " + e1.toString(), e1);
-            fragment.overrideRenderedContent(e1.toString());            
-//            ObjectID oid = JetspeedObjectID.createFromString(fragment.getId());
-        //    ((ContentDispatcherImpl) dispatcherCtrl).notify(oid);
+            fragment.overrideRenderedContent(e1.getLocalizedMessage());            
         }
         return rJob;
     }
@@ -274,17 +305,20 @@
             return portletWindow;
 
     }
-
-    protected RenderingJob buildRenderingJob( ContentFragment fragment, HttpServletRequest
request,
+    
+    protected RenderingJob buildRenderingJob( PortletWindow portletWindow, ContentFragment
fragment, HttpServletRequest request,
                                               HttpServletResponse response, RequestContext
requestContext, boolean isParallel ) 
-        throws FailedToRetrievePortletWindow, FailedToRenderFragmentException, PortletEntityNotStoredException
+        throws PortletAccessDeniedException, FailedToRetrievePortletWindow, FailedToRenderFragmentException,
PortletEntityNotStoredException
     {
         RenderingJob rJob = null;
         ContentDispatcher dispatcher = null;
-        
-        PortletWindow portletWindow = getPortletWindow(fragment);
+                
         PortletDefinitionComposite portletDefinition = 
             (PortletDefinitionComposite) portletWindow.getPortletEntity().getPortletDefinition();
+        if (checkSecurityConstraints && !checkSecurityConstraint(portletDefinition,
fragment))
+        {
+            throw new PortletAccessDeniedException("Access Denied.");
+        }
         ContentDispatcherCtrl dispatcherCtrl = getDispatcherCtrl(requestContext, true);
         dispatcher = getDispatcher(requestContext, true);        
         request = requestContext.getRequestForWindow(portletWindow);
@@ -382,4 +416,28 @@
             }
         }
     }
+    
+    protected boolean checkSecurityConstraint(PortletDefinitionComposite portlet, ContentFragment
fragment)
+    {
+        // TODO: check all kinds of fragments, or at least make this optional
+        if (fragment.getType().equals(ContentFragment.PORTLET))
+        {
+            String constraintRef = portlet.getJetspeedSecurityConstraint();
+            if (constraintRef == null)
+            {
+                constraintRef = ((MutablePortletApplication)portlet.getPortletApplicationDefinition()).getJetspeedSecurityConstraint();
               
+                if (constraintRef == null)
+                {
+                    return true; // allow access
+                }
+            }
+            return pageManager.checkConstraint(constraintRef, "view");                
+            //log.info("Portlet " + portlet.getName() + " failed security check.");     
  
+        }
+        else
+        {
+            return true;
+        }
+    }
+    
 }

Modified: portals/jetspeed-2/trunk/jetspeed-api/src/java/org/apache/jetspeed/page/PageManager.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/trunk/jetspeed-api/src/java/org/apache/jetspeed/page/PageManager.java?view=diff&rev=501661&r1=501660&r2=501661
==============================================================================
--- portals/jetspeed-2/trunk/jetspeed-api/src/java/org/apache/jetspeed/page/PageManager.java
(original)
+++ portals/jetspeed-2/trunk/jetspeed-api/src/java/org/apache/jetspeed/page/PageManager.java
Tue Jan 30 16:44:12 2007
@@ -43,6 +43,7 @@
 import org.apache.jetspeed.page.document.NodeSet;
 import org.apache.jetspeed.page.document.UnsupportedDocumentTypeException;
 
+
 /**
  * This service is responsible for loading and saving Pages into
  * the selected persistent store.
@@ -682,4 +683,14 @@
      */
     public int addPages(Page[] pages)
     throws NodeException;
+    
+    /**
+     * For a given security constraint definition name, and the given action(s),
+     * make a constraint check for the current user subject
+     * 
+     * @param securityConstraintName the name of the security constraint definition
+     * @param actions one or more portlet actions (view,edit,help,..)
+     * @return
+     */
+    public boolean checkConstraint(String securityConstraintName, String actions);    
 }

Modified: portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/aggregation.xml
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/aggregation.xml?view=diff&rev=501661&r1=501660&r2=501661
==============================================================================
--- portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/aggregation.xml (original)
+++ portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/aggregation.xml Tue Jan 30 16:44:12
2007
@@ -54,6 +54,15 @@
         <constructor-arg>
             <value>0</value>
         </constructor-arg>        
+        <!-- flag indicating whether to check jetspeed-portlet.xml security constraints
+             before rendering a portlet. If security check fails, do not display portlet
content
+          -->
+        <constructor-arg type="boolean">
+            <value>true</value>
+        </constructor-arg>           
+        <constructor-arg>
+            <ref bean="org.apache.jetspeed.page.PageManager" />
+        </constructor-arg>             
     </bean>
 
     <!-- Portlet Renderer w/title in http response header -->



---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org


Mime
View raw message