[prev in list] [next in list] [prev in thread] [next in thread]
List: jetspeed-user
Subject: Re: jetspeed-newbie Roles-Groups-Users
From: Randy Watler <rwatler () finali ! com>
Date: 2004-11-29 18:04:30
Message-ID: 41AB64AE.7000403 () finali ! com
[Download RAW message or body]
Marina,
There are two different Roles/Groups/Users domains in effect: Tomcat's
and Jetspeed's. Jetspeed has its own JAAS login/logout that is managed
separately from the global Tomcat configuration, (see jetspeed.xml for
the JAAS Realm definition). Configuration of Tomcat's Realm is only
necessary for running the manager/admin application to deploy portlet
webapps.
I am not sure why your Tomcat security configuration did not control
access to the Jetspeed application as a whole, (I am not an expert there
to say the least; I've never had to use that believe it or not).
To use the portlet security, you'll probably need to configure the
Jetspeed realm correctly or use the demo logins. Like I said, I am not
sure portlet security is implemented at this time, YMMV. See the
populate-userinfo-for-default-psml.sql script.
For page level security, see the demo psml pages under
jetspeed/WEB-INF/pages. No document on this stuff yet... it is very new
and still settling in.
I will mail a PDF version of the profiling document to you in few minutes.
Randy
Marina wrote:
>Randy,
>Thanks a lot for your response.
>
>I indeed have more specific question on the security
>setup in J2.
>I should note right away that I apologize if these
>questions are answered in the documentation you
>mentioned - I was not able to read it as it seems to
>be in the .sxw format (StarOffice, I think ?). Any
>idea how to convert them into some other format if I
>don't have StarOffice readily available?
>
>Now to my questions.
>I'm trying to do a very common thing: require a user
>to log in when he access the portal for the first
>time, and then show only those portlets that this user
>is authorized to see, and give him only those access
>rights to some functionality (buttons, links in the
>portlets) that he is authorized to do.
>
>First of, I was not sure how to limit access to the
>portal as a whole - usually you do that kind of thing
>in the web.xml descriptor of the web application. I
>guess that would be the
>$TOMCAT_HOME/webapps/jetspeed/WEB-INF/web.xml
>But then, would not it be overwritten when Jetspeed is
>redeployed using the Maven build scripts? And what
><url-pattern> would I have to specify - /jetspeed/* or
>something like that?
>
>Anyway, I decided to try to protect the main portlet
>as the first step. In my potlet's web.xml I specified:
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Secure EventCalendar
> </web-resource-name>
> <url-pattern>/EventsCalendarPortlet/*
> </url-pattern>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> </web-resource-collection>
> <auth-constraint>
> <role-name>dce_admin</role-name>
> </auth-constraint>
> </security-constraint>
> <login-config>
> <auth-method>BASIC</auth-method>
> </login-config>
> <security-role>
> <role-name>dce_admin</role-name>
> </security-role>
>
>and I have a corresponding role defined in the
>tomcat-users.xml:
> <role rolename="dce_admin"/>
> <user username="dce_admin" password="some_password"
>roles="dce_admin"/>
>
>Since I could not find any Jetspeed-specific
>information on specifying security constraints for
>individual portlets, I just used the Portlet
>Specification as the guide and added this to the
>portlet's portlet.xml:
>
> <security-role-ref>
> <role-name>dce_admin</role-name>
> <role-link>dce_admin</role-link>
> </security-role-ref>
>
>The EventsCalendarPortlet got deployed into J2 just
>fine, but it was displayed in the portal without
>prompting me for any username/password.
>
>If you could give me any pointers as to what I'm
>missing and what would the main steps be to achieve
>what I'm trying to do it would be great!
>
>Sorry for such a long e-mail,
>
>thanks!
>Marina
>
>--- Randy Watler <rwatler@finali.com> wrote:
>
>
>
>>MP,
>>
>>I am more or less responsible for the J2 profiling
>>and security features.
>>
>>There is some documentation in the J2 design-docs
>>under the profiler
>>directory, (pull from CVS).
>>
>>Also the demo configuration for user/user,
>>(username=user, password=user),
>>uses profiling extensively to customize its view and
>>security to limit its
>>access to the admin pages/portlets.
>>
>>BTW, this functionality is page based, not portlet
>>based. Portlet security
>>constraints can be specified in the portlet.xml, but
>>I am not sure if they
>>are 100% implemented at this point.
>>
>>Feel free to send more specific J2 questions to the
>>list.
>>
>>HTH,
>>
>>Randy Watler
>>
>>-----Original Message-----
>>From: M P
>>To: Jetspeed Users List
>>Sent: 11/27/04 12:10 PM
>>Subject: Re: jetspeed-newbie Roles-Groups-Users
>>
>>Hi, David,
>>
>>The documentation you mentioned is for Jetspeed 1.
>>Is
>>it also true for Jetspeed2? If not - could you point
>>me to where I could find it for J2? I looked
>>through
>>all documentation on the J2 home page and Wikis and
>>could not find anything on how to control access to
>>specific portlets based on user roles/ groups.
>>
>>Thank you!
>>Marina
>>
>>--- David Sean Taylor <david@bluesunrise.com> wrote:
>>
>>
>>
>>>Thilina wrote:
>>>
>>>
>>>
>>>>Hi,
>>>>I need to do following thing using the jetspeed,
>>>>
>>>>Creating......
>>>>3 roles - Admin, Executive, Developer
>>>>2 Groups - Administration, Users
>>>>100 of users - CEO,CFO,admin, aaa, bbb, ccc,
>>>>
>>>>
>>>etc........
>>>
>>>
>>>>Setting............
>>>>Admin and Executive belongs to Administrative
>>>>
>>>>
>>>Group
>>>
>>>
>>>>Developer belongs to Users Group
>>>>
>>>>CEO and CFO are Executive Roles
>>>>admin user is belongs to Admin role
>>>>aaa, bbb, ccc, etc.... belongs to Developer role
>>>>
>>>>Users group only have rights to view the
>>>>
>>>>
>>>information.
>>>
>>>
>>>>Admin role have all the control except viewing
>>>>
>>>>
>>>some confidential
>>>
>>>
>>>>information such as Banking and Finance
>>>>
>>>>
>>>information. Only CEO and CFO
>>>
>>>
>>>>have rights to access those information.
>>>>
>>>>Admin could lock and unlock account except CEO
>>>>
>>>>
>>and
>>
>>
>>>CFO.
>>>
>>>
>>>>Is this kind of activity achieve using jetspeed
>>>>
>>>>
>>>1.5?
>>>
>>>
>>>Yes.
>>>To see the User Admin, go here:
>>>
>>>http://wwww.bluesunrise.com/jetspeed
>>>
>>>login as user = admin, pw = (sendme an email
>>>personally to get it)
>>>
>>>Go to the security tab, and then "Security
>>>
>>>
>>Browser"
>>
>>
>>>Here you can see how to setup security constraints
>>>
>>>You will also see how to administer roles, groups
>>>and users here.
>>>
>>>
>>>Also, docs are here:
>>>
>>>
>>>
>>>
>http://portals.apache.org/jetspeed-1/security.html#Registry_Access_Contr
>
>
>>ol
>>
>>
>>>--
>>>David Sean Taylor
>>>Bluesunrise Software
>>>david@bluesunrise.com
>>>[office] +01 707 773 4646
>>>[mobile] +01 707 529 9194
>>>
>>>
>>>
>>>
>---------------------------------------------------------------------
>
>
>>>To unsubscribe, e-mail:
>>>jetspeed-user-unsubscribe@jakarta.apache.org
>>>For additional commands, e-mail:
>>>jetspeed-user-help@jakarta.apache.org
>>>
>>>
>>>
>>>
>>
>>__________________________________
>>Do you Yahoo!?
>>The all-new My Yahoo! - Get yours free!
>>http://my.yahoo.com
>>
>>
>>
>>
>>
>>
>---------------------------------------------------------------------
>
>
>>To unsubscribe, e-mail:
>>jetspeed-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail:
>>jetspeed-user-help@jakarta.apache.org
>>
>>
>>
>
>
>
>__________________________________
>Do you Yahoo!?
>Take Yahoo! Mail with you! Get it on your mobile phone.
>http://mobile.yahoo.com/maildemo
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: jetspeed-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: jetspeed-user-help@jakarta.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: jetspeed-user-help@jakarta.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic