David, No, I don't have any insight for you yet but I'm trying to make sure I understand your intent here. You want to secure portlet and its action as one (i.e. portlet action should always use security of the portlet it is associated with), right? And you don't want to do something like that in the base action class:
JetspeedSecurity.checkPermission(rundata, JetspeedSecurity.PERMISSION_VIEW, portlet); Whatever we come up with, has to be done with JspPortletAction as well. What about securing non-portlet actions? Perhaps these actions should become another type of portal resource and extend JetspeedAction which, in turn, would be responsible for checking PERMISSION_EXECUTE. Best regards, Mark C. Orciuch Next Generation Solutions, Ltd. e-Mail: [EMAIL PROTECTED] web: http://www.ngsltd.com > -----Original Message----- > From: David Sean Taylor [mailto:[EMAIL PROTECTED]] > Sent: Friday, October 11, 2002 11:50 PM > To: Jetspeed Developers List > Subject: Securing VelocityPortlet actions > > > I'd like to use the Jetspeed Security registry for securing access to > Velocity portlet actions. > I believe that Velocity portlet action events are very big > security hole in > Jetspeed, and it should be fairly simple to plug it, one would think. > A few weeks ago I reviewed the code, and it was the same old situation: we > are in the action, but do we have access to the portlet.... > > To make a long story short, I failed to get access to the portlet in the > action when I needed it -- when an action event kicks off, it doesn't know > about its portlet. Correct me if Im wrong....I can just hear Raphael "its > easy, just do this..." and I hope he does, really. > > But since the action kicks off before the instance is created, > its even more > difficult to get the portlet instance security-ref. > > Any insight on how to get the security constraints during an action event? > I would like to put this code in one of the base classes. I don't > want to be > checking security in each and everyone of my action events. > > > > -- > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
