portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mark Orciuch" <mark_orci...@ngsltd.com>
Subject RE: [J1] [PROPOSAL] Secure Actions enhancement
Date Sat, 10 Jan 2004 04:43:53 GMT
> Originally, the check was there to avoid hard coding a specific
> role in the
> action.  Also, this provides a method of security for Turbine actions as
> well as portlet actions.
> I like the idea of using the portlet's security access.  The only
> question I
> have deals with action events.  Most of the portlets were written
> before the
> GenericMVCPortlet and GenericMVCAction were created.  To fire
> actions/events, they specify the action on the url.  Because of this,
> Turbine runs the action event before the GenericMVCAction does.
> When this
> happens, there is no portlet in the context.  What should be done in this
> case?  Can the security access still be used?

This is why we concluded before that a viable solution would be to create a
custom portlet action loader which would replace the Turbine's. The portlet
action loader would always check the portlet's security ref before allowing
the action to proceed. I haven't thought this completely thru so there may
be other complications.

IMO that would be a good approach but minimally it would require moving all
portlet actions to a separate package (a.j.modules.portletaction) so it's a
backward compatibility issue.

Best regards,

Mark Orciuch - morciuch@apache.org
Jakarta Jetspeed - Enterprise Portal in Java

To unsubscribe, e-mail: jetspeed-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: jetspeed-dev-help@jakarta.apache.org

View raw message