Jetspeed 2
  1. Jetspeed 2
  2. JS2-1263

Hardening j2-admin security by restricting access to hot deployment and portlet metadata features to admin role only

    Details

    • Type: Improvement Improvement
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.2.1
    • Fix Version/s: 2.2.2
    • Component/s: Admin Portlets
    • Labels:
      None

      Activity

      Hide
      Ate Douma added a comment -

      redundant psml security constraints removed again

      Show
      Ate Douma added a comment - redundant psml security constraints removed again
      Hide
      Ate Douma added a comment -

      I added a bit too much redundant psml level constraints on these admin portlets for where their psml folders already enforced this by inheritance.
      For the 'classic' (portal) demo pages however, these are needed as that demo configuration allows access to both admin and manager role to the Administration portlets by default (folder level constraint).

      Note: these psml constraints are not so much needed to enforce the 'locking down' of these portlets, only to prevent rendering the 'Access Denied' message on their Portlet Window if a user is not allowed to execute the portlet. With these psml constraints the portlet window won't be rendered at all.

      Show
      Ate Douma added a comment - I added a bit too much redundant psml level constraints on these admin portlets for where their psml folders already enforced this by inheritance. For the 'classic' (portal) demo pages however, these are needed as that demo configuration allows access to both admin and manager role to the Administration portlets by default (folder level constraint). Note: these psml constraints are not so much needed to enforce the 'locking down' of these portlets, only to prevent rendering the 'Access Denied' message on their Portlet Window if a user is not allowed to execute the portlet. With these psml constraints the portlet window won't be rendered at all.
      Hide
      Ate Douma added a comment -

      Both portlet render time enforcement of admin constraints and related psml level admin constraints (hiding portlets/pages instead of showing 'Access Denied') added
      See also JS2-1262 for more detail concerning individual portlet render time constraints checking configuration.

      Portlets/pages 'locked down' this way:

      • PAM (Portlet Application Manager)
      • RPAD (Remote Portlet Application Deployer)
      • Permissions & Constraints management
      • PortalDataSerializer (Import/Export)
      Show
      Ate Douma added a comment - Both portlet render time enforcement of admin constraints and related psml level admin constraints (hiding portlets/pages instead of showing 'Access Denied') added See also JS2-1262 for more detail concerning individual portlet render time constraints checking configuration. Portlets/pages 'locked down' this way: PAM (Portlet Application Manager) RPAD (Remote Portlet Application Deployer) Permissions & Constraints management PortalDataSerializer (Import/Export)

        People

        • Assignee:
          Ate Douma
          Reporter:
          Ate Douma
        • Votes:
          0 Vote for this issue
          Watchers:
          0 Start watching this issue

          Dates

          • Created:
            Updated:
            Resolved:

            Development