Uploaded image for project: 'Jetspeed 2 (Retired)'
  1. Jetspeed 2 (Retired)
  2. JS2-1262

Enforced portlet level security constraints checking at render time through custom jetspeed-portlet.xml metadata

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 2.2.1
    • 2.2.2
    • Security
    • None

    Description

      For some administrative portlets it is required to enforce security constraints on portlet definition level, e.g. restrict (all) usage for certain admin portlets to users having admin only.
      By default, Jetspeed only enforces portlet level security constraints (see: http://portals.apache.org/jetspeed-2/deployguide/guide-registry.html, section jetspeed-portlet.xml) while adding new portlet instances to a page/fragment.
      Once a portlet has been instantiated, only the page/fragment security constraints are enforced.

      This default behavior can be changed globally, but has rather a high impact as potentially the expected behavior of existing portlet instances might thereby change.

      As an light-weight alternative, I will add support for an additonal, portlet level meta data configuration through jetspeed-portlet.xml which allows turning this behavior on for individual portlets only.
      By adding a <js:metadata name="render-time.security-constraints">true</js:metadata> tag to a portlet configuration in jetspeed-portlet.xml, the security constraints for that portlet will be enforced at render time.

      Attachments

        Activity

          People

            ate Ate Douma
            ate Ate Douma
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: