portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mark Orciuch" <mark_orci...@ngsltd.com>
Subject RE: [J1] [PROPOSAL] Secure Actions enhancement
Date Fri, 09 Jan 2004 14:26:00 GMT
Securing portlet actions is definitely something long overdue (see
http://issues.apache.org/bugzilla/show_bug.cgi?id=24939) and we should start
discussing it. Here's a related discussion thread that was started last
year: http://issues.apache.org/bugzilla/show_bug.cgi?id=18865. I think that
Scott had something interesting in works but didn't have time to commit it.

Best regards,

Mark Orciuch - morciuch@apache.org
Jakarta Jetspeed - Enterprise Portal in Java
http://jakarta.apache.org/jetspeed/

> -----Original Message-----
> From: Jeremy Ford [mailto:caius1440@hotmail.com]
> Sent: Thursday, January 08, 2004 10:45 PM
> To: jetspeed-dev@jakarta.apache.org
> Subject: [J1] [PROPOSAL] Secure Actions enhancement
>
>
> The following proposal was spawned by this log in bugzilla:
> http://issues.apache.org/bugzilla/show_bug.cgi?id=24939
>
> The issue that needs to be addressed is securing the portlet
> actions.  While
> it is possible for each action to implement its own security checking, it
> would be nice for there to be classes that one can simple derive
> from that
> already does the checking for you.  Looking at the various
> portlet actions
> provided by Jetspeed, there are 3 main classes that provide
> portlet action
> support; GenericMVCAction, JspPortletAction, and VelocityPortletAction.
>
> I propose providing 3 new classes; SecureGenericMVCAction,
> SecureJspPortletAction, and SecureVelocityPortletAction.  These 3 actions
> would extend GenericMVCAction, JspPortletAction, and
> VelocityPortletAction.
> The actions would override the perform(RunData) method with the following
> implementation.
>
> if(JetspeedSecurity.canUseSecureAction(rundata)) {
> 	super.perform(rundata);
> }
>
> The canUseSecureAction function would defer to a new method in the
> JetspeedSecurityService implementation which would provide an
> algorithm that
> determines if the current user is an administrator.  The
> currently proposed
> algorithm is to compare the list of roles that the user is
> associated with a
> list of allowed roles in the JetspeedSecurity.properties file.
> If there is
> a match, the user is allowed access to the action.
>
> Proposed Classes:
> SecureGenericMVCAction
> SecureJspPortletAction
> SecureVelocityPortletAction
>
> Proposed Extensions:
> New method to Jetspeed security canUseSecureAction
>
> Proposed property file changes:
> services.JetspeedSecurity.secure_actions.allowed_roles
>
> As always, comments are welcome as well as any suggestions or total
> rewrites. :)
>
> Thanks,
>
> Jeremy Ford
> jford@apache.org
>
> _________________________________________________________________
> Enjoy a special introductory offer for dial-up Internet access ? limited
> time only! http://join.msn.com/?page=dept/dialup
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: jetspeed-dev-help@jakarta.apache.org
>
>
>
>



---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: jetspeed-dev-help@jakarta.apache.org


Mime
View raw message