Author: rwatler
Date: Wed Apr 10 05:03:19 2013
New Revision: 1466335
URL: http://svn.apache.org/r1466335
Log:
JS2-1281: Implement security constraint reference expressions
Modified:
portals/site/jetspeed/jetspeed-2.1/jetspeed-guide-deploy/src/site/xdoc/guide-security-declarative-psml.xml
portals/site/jetspeed/jetspeed-2.2/jetspeed-guide-deploy/src/site/xdoc/guide-security-declarative-psml.xml
Modified:
portals/site/jetspeed/jetspeed-2.1/jetspeed-guide-deploy/src/site/xdoc/guide-security-declarative-psml.xml
URL:
http://svn.apache.org/viewvc/portals/site/jetspeed/jetspeed-2.1/jetspeed-guide-deploy/src/site/xdoc/guide-security-declarative-psml.xml?rev=1466335&r1=1466334&r2=1466335&view=diff
==============================================================================
---
portals/site/jetspeed/jetspeed-2.1/jetspeed-guide-deploy/src/site/xdoc/guide-security-declarative-psml.xml
(original)
+++
portals/site/jetspeed/jetspeed-2.1/jetspeed-guide-deploy/src/site/xdoc/guide-security-declarative-psml.xml
Wed Apr 10 05:03:19 2013
@@ -197,28 +197,47 @@ The * can be applied to roles, groups, u
</p>
</subsection>
<subsection name='Owner'>
- <p>
- TODO
- </p>
+<p>
+Resource owners are declared as a security constraint. Owning principals are
automatically granted ALL permissions.
+<source><![CDATA[
+ <owner>dilbert</owner>
+]]></source>
+</p>
</subsection>
</section>
<section name='Declarative and Global Constraints'>
<p>
-Declarative constraints are declared in the <b><i>page.security</i></b> file
of the root of a site.
+Declarative constraints are defined in the <b><i>page.security</i></b> file of
the root of a site.
Declarative constraints are referenced in pages and folders with the
<b><i>security-constraints-ref</i></b> tag.
Global constraints are also declarative constraints. They are also defined and
found in the <b><i>page.security</i></b> file in the root PSML repository.
The difference with global constraints is that they implicitly apply to all
folders and pages within the scope of the page.security file, (i.e. the site).
Note that there can be only one <b><i>page.security</i></b> file in a Jetspeed
installation.
+<source><![CDATA[
+ <security-constraints-def name="admin">
+ <security-constraint>
+ <roles>admin</roles>
+ <permissions>view, edit</permissions>
+ </security-constraint>
+ </security-constraints-def>
+ <global-security-constraints-ref>admin</global-security-constraints-ref>
+]]></source>
+Constraint names are limited to letters, numbers, "_", "-", and "."
characters.
</p>
+<subsection name='Constraints Reference Expressions'>
+<p>
+In addition to constraint reference by name, the
<b><i>security-constraints-ref</i></b> and
<b><i>global-security-constraints-ref</i></b> tags accept
+logical expressions with constraint reference operands to express more complex
grants. Expressions are normally employed when the default "OR" grant
+logic of security constraints lists becomes awkward or alternative logic such
as "AND" or "NOT" is required.
<source><![CDATA[
- <security-constraints-def name="admin">
- <security-constraint>
- <roles>admin</roles>
- <permissions>view, edit</permissions>
- </security-constraint>
- </security-constraints-def>
- <global-security-constraints-ref>admin</global-security-constraints-ref>
+ <global-security-constraints-ref>admin and
noc</global-security-constraints-ref>
+]]></source>
+<source><![CDATA[
+ <security-constraints-ref>(support || engineering) &&
!marketing</security-constraints-ref>
]]></source>
+Expressions are infix and support the following operators: "and", "or", "not",
"(", ")", "&&", "||" and "!". The usual operator precedence rules for
+logical expressions apply.
+</p>
+</subsection>
<subsection name='Default Constraints'>
<p>
Several security constraint declarations are made in the default
deployment of Jetspeed:
@@ -316,6 +335,13 @@ only the view permission is checked agai
are tested only against the containing page.
</p>
</section>
+<section name='Portlet Constraints'>
+<p>Globally, these are set for a portlet or its portlet application using the
administration interface or in the applications's
<b><i>jetspeed-portlet.xml</i></b>. See Portal Components - Registry.</p>
+<p>However, these global security constraints are not checked by default at
render time for 'view', allowing 'view' if the user can see the portlet's
containing page.</p>
+<p>Security therefore relies on constraining access to folders and pages,
controlling who can add portlets and where, and constraining access to portlet
instances on a page individually by their containing fragments.</p>
+
+<p>To enable render-time security constraint checking as an extra catch-all,
see Portal Components - Registry.</p>
+</section>
<section name="Spring Configuration">
<p>
Declarative Security Constraints are enabled by default in the Spring
configuration of the
Modified:
portals/site/jetspeed/jetspeed-2.2/jetspeed-guide-deploy/src/site/xdoc/guide-security-declarative-psml.xml
URL:
http://svn.apache.org/viewvc/portals/site/jetspeed/jetspeed-2.2/jetspeed-guide-deploy/src/site/xdoc/guide-security-declarative-psml.xml?rev=1466335&r1=1466334&r2=1466335&view=diff
==============================================================================
---
portals/site/jetspeed/jetspeed-2.2/jetspeed-guide-deploy/src/site/xdoc/guide-security-declarative-psml.xml
(original)
+++
portals/site/jetspeed/jetspeed-2.2/jetspeed-guide-deploy/src/site/xdoc/guide-security-declarative-psml.xml
Wed Apr 10 05:03:19 2013
@@ -197,28 +197,47 @@ The * can be applied to roles, groups, u
</p>
</subsection>
<subsection name='Owner'>
- <p>
- TODO
- </p>
+<p>
+Resource owners are declared as a security constraint. Owning principals are
automatically granted ALL permissions.
+<source><![CDATA[
+ <owner>dilbert</owner>
+]]></source>
+</p>
</subsection>
</section>
<section name='Declarative and Global Constraints'>
<p>
-Declarative constraints are declared in the <b><i>page.security</i></b> file
of the root of a site.
+Declarative constraints are defined in the <b><i>page.security</i></b> file of
the root of a site.
Declarative constraints are referenced in pages and folders with the
<b><i>security-constraints-ref</i></b> tag.
Global constraints are also declarative constraints. They are also defined and
found in the <b><i>page.security</i></b> file in the root PSML repository.
The difference with global constraints is that they implicitly apply to all
folders and pages within the scope of the page.security file, (i.e. the site).
Note that there can be only one <b><i>page.security</i></b> file in a Jetspeed
installation.
+<source><![CDATA[
+ <security-constraints-def name="admin">
+ <security-constraint>
+ <roles>admin</roles>
+ <permissions>view, edit</permissions>
+ </security-constraint>
+ </security-constraints-def>
+ <global-security-constraints-ref>admin</global-security-constraints-ref>
+]]></source>
+Constraint names are limited to letters, numbers, "_", "-", and "."
characters.
</p>
+<subsection name='Constraints Reference Expressions'>
+<p>
+In addition to constraint reference by name, the
<b><i>security-constraints-ref</i></b> and
<b><i>global-security-constraints-ref</i></b> tags accept
+logical expressions with constraint reference operands to express more complex
grants. Expressions are normally employed when the default "OR" grant
+logic of security constraints lists becomes awkward or alternative logic such
as "AND" or "NOT" is required.
<source><![CDATA[
- <security-constraints-def name="admin">
- <security-constraint>
- <roles>admin</roles>
- <permissions>view, edit</permissions>
- </security-constraint>
- </security-constraints-def>
- <global-security-constraints-ref>admin</global-security-constraints-ref>
+ <global-security-constraints-ref>admin and
noc</global-security-constraints-ref>
+]]></source>
+<source><![CDATA[
+ <security-constraints-ref>(support || engineering) &&
!marketing</security-constraints-ref>
]]></source>
+Expressions are infix and support the following operators: "and", "or", "not",
"(", ")", "&&", "||" and "!". The usual operator precedence rules for
+logical expressions apply.
+</p>
+</subsection>
<subsection name='Default Constraints'>
<p>
Several security constraint declarations are made in the default
deployment of Jetspeed:
