Jetspeed 2
  1. Jetspeed 2
  2. JS2-1263

Hardening j2-admin security by restricting access to hot deployment and portlet metadata features to admin role only

    Details

    • Type: Improvement Improvement
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.2.1
    • Fix Version/s: 2.2.2
    • Component/s: Admin Portlets
    • Labels:
      None

      Activity

      Transition Time In Source Status Execution Times Last Executer Last Execution Date
      Open Open Resolved Resolved
      46m 7s 1 Ate Douma 04/Oct/11 05:12
      Resolved Resolved Reopened Reopened
      7h 42m 1 Ate Douma 04/Oct/11 12:54
      Reopened Reopened Resolved Resolved
      11m 46s 1 Ate Douma 04/Oct/11 13:06
      Ate Douma made changes -
      Status Reopened [ 4 ] Resolved [ 5 ]
      Resolution Fixed [ 1 ]
      Hide
      Ate Douma added a comment -

      redundant psml security constraints removed again

      Show
      Ate Douma added a comment - redundant psml security constraints removed again
      Ate Douma made changes -
      Resolution Fixed [ 1 ]
      Status Resolved [ 5 ] Reopened [ 4 ]
      Hide
      Ate Douma added a comment -

      I added a bit too much redundant psml level constraints on these admin portlets for where their psml folders already enforced this by inheritance.
      For the 'classic' (portal) demo pages however, these are needed as that demo configuration allows access to both admin and manager role to the Administration portlets by default (folder level constraint).

      Note: these psml constraints are not so much needed to enforce the 'locking down' of these portlets, only to prevent rendering the 'Access Denied' message on their Portlet Window if a user is not allowed to execute the portlet. With these psml constraints the portlet window won't be rendered at all.

      Show
      Ate Douma added a comment - I added a bit too much redundant psml level constraints on these admin portlets for where their psml folders already enforced this by inheritance. For the 'classic' (portal) demo pages however, these are needed as that demo configuration allows access to both admin and manager role to the Administration portlets by default (folder level constraint). Note: these psml constraints are not so much needed to enforce the 'locking down' of these portlets, only to prevent rendering the 'Access Denied' message on their Portlet Window if a user is not allowed to execute the portlet. With these psml constraints the portlet window won't be rendered at all.
      Ate Douma made changes -
      Status Open [ 1 ] Resolved [ 5 ]
      Resolution Fixed [ 1 ]
      Hide
      Ate Douma added a comment -

      Both portlet render time enforcement of admin constraints and related psml level admin constraints (hiding portlets/pages instead of showing 'Access Denied') added
      See also JS2-1262 for more detail concerning individual portlet render time constraints checking configuration.

      Portlets/pages 'locked down' this way:

      • PAM (Portlet Application Manager)
      • RPAD (Remote Portlet Application Deployer)
      • Permissions & Constraints management
      • PortalDataSerializer (Import/Export)
      Show
      Ate Douma added a comment - Both portlet render time enforcement of admin constraints and related psml level admin constraints (hiding portlets/pages instead of showing 'Access Denied') added See also JS2-1262 for more detail concerning individual portlet render time constraints checking configuration. Portlets/pages 'locked down' this way: PAM (Portlet Application Manager) RPAD (Remote Portlet Application Deployer) Permissions & Constraints management PortalDataSerializer (Import/Export)
      Ate Douma made changes -
      Field Original Value New Value
      Fix Version/s 2.2.2 [ 12313846 ]
      Affects Version/s 2.2.1 [ 12313443 ]
      Component/s Admin Portlets [ 11180 ]
      Ate Douma created issue -

        People

        • Assignee:
          Ate Douma
          Reporter:
          Ate Douma
        • Votes:
          0 Vote for this issue
          Watchers:
          0 Start watching this issue

          Dates

          • Created:
            Updated:
            Resolved:

            Development