Jetspeed 2
  1. Jetspeed 2
  2. JS2-1262

Enforced portlet level security constraints checking at render time through custom jetspeed-portlet.xml metadata

    Details

    • Type: Improvement Improvement
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.2.1
    • Fix Version/s: 2.2.2
    • Component/s: Security
    • Labels:
      None

      Description

      For some administrative portlets it is required to enforce security constraints on portlet definition level, e.g. restrict (all) usage for certain admin portlets to users having admin only.
      By default, Jetspeed only enforces portlet level security constraints (see: http://portals.apache.org/jetspeed-2/deployguide/guide-registry.html, section jetspeed-portlet.xml) while adding new portlet instances to a page/fragment.
      Once a portlet has been instantiated, only the page/fragment security constraints are enforced.

      This default behavior can be changed globally, but has rather a high impact as potentially the expected behavior of existing portlet instances might thereby change.

      As an light-weight alternative, I will add support for an additonal, portlet level meta data configuration through jetspeed-portlet.xml which allows turning this behavior on for individual portlets only.
      By adding a <js:metadata name="render-time.security-constraints">true</js:metadata> tag to a portlet configuration in jetspeed-portlet.xml, the security constraints for that portlet will be enforced at render time.

        Activity

        There are no comments yet on this issue.

          People

          • Assignee:
            Ate Douma
            Reporter:
            Ate Douma
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development