hi there,
If I add the Authenticated-role to a page (using Jboss Portal 2.6.2 GA), it
seems to simply get ignored:
test-object.xml:
<?xml version="1.0" encoding="UTF-8"?>
<if-exists>overwrite</if-exists>
<parent-ref>default</parent-ref>
<page-name>HelloWorld</page-name>
<window-name>HelloWorldPortletWindow</window-name>
<instance-ref>HelloWorldPortletInstance</instance-ref>
center
0
<security-constraint>
<policy-permission>
<role-name>Authenticated</role-name>
<action-name>view</action-name>
</policy-permission>
</security-constraint>
The role is added to portlet.xml and can be verified using
request.isUserInRole("Authenticated").
If I add the same role to the portlet-instances.xml, then it works immediately:
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<!DOCTYPE deployments PUBLIC
"-//JBoss Portal//DTD Portlet Instances 2.6//EN"
"http://www.jboss.org/portal/dtd/portlet-instances_2_6.dtd";>
<if-exists>overwrite</if-exists>
<instance-id>HelloWorldPortletInstance</instance-id>
<portlet-ref>HelloWorldPortlet</portlet-ref>
<security-constraint>
<policy-permission>
<role-name>Authenticated</role-name>
<action-name>view</action-name>
</policy-permission>
</security-constraint>
Environment info:
Jboss 4.0.5 GA
Jboss Portal 2.6.2 GA
JDK 1.5
Could it be that the page-level security is no longer working with Jboss Portal
2.6.2 GA?
I read in an earlier post, that the unchecked access using "read recursive" has
to be disabled from the default-portal, but I believe that the role security
should be way stronger than any default configuration.
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4103906#4103906
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4103906
_______________________________________________
jboss-user mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/jboss-user
