taylor 2004/04/09 02:18:03
Added: tutorial/xdocs/4 index.xml users-roles.xml customizer.xml
features.xml concepts.xml example.xml deploy.xml
Log:
converted chapter 4 to xdocs
PR:
Obtained from:
Submitted by:
Reviewed by:
CVS: ----------------------------------------------------------------------
CVS: PR:
CVS: If this change addresses a PR in the problem report tracking
CVS: database, then enter the PR number(s) here.
CVS: Obtained from:
CVS: If this change has been taken from another system, such as NCSA,
CVS: then name the system in this line, otherwise delete it.
CVS: Submitted by:
CVS: If this code has been contributed to Apache by someone else; i.e.,
CVS: they sent us a patch or a new module, then include their name/email
CVS: address here. If this is your work then delete this line.
CVS: Reviewed by:
CVS: If we are doing pre-commit code reviews and someone else has
CVS: reviewed your changes, include their name(s) here.
CVS: If you have not had it reviewed then delete this line.
Revision Changes Path
1.1 jakarta-jetspeed/tutorial/xdocs/4/index.xml
Index: index.xml
===================================================================
<?xml version="1.0"?>
<!--
Copyright 2004 The Apache Software Foundation
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<document>
<properties>
<author email="[EMAIL PROTECTED]">David Sean Taylor</author>
<title>Site Security</title>
</properties>
<body>
<section name="Site Security">
<p>
Securing portal resources is a very important part of defining your portal site.
You do not want non-authorized users accessing critical resources.
Jetspeed has a declarative security registry for doing so. This section will cover:
</p>
<p>
<ul>
<li>1. <a href='concepts.html'>1. Jetspeed Security Concepts</a></li>
<li>2. <a href='users-roles.html'>2. Managing Users and Roles</a></li>
<li>3. <a href='features.html'>3. Security Features</a></li>
<li>4. <a href='customizer.html'>4. Using the Customizer to Secure Portal
Resources</a></li>
<li>5. <a href='example.html'>5. The Security Example Portlet</a></li>
<li>6. <a href='deploy.html'>Deploy</a></li>
</ul>
</p>
<p>
Lets get started. From the JPortal /tutorial distribution root directory, type:
</p>
<hr/>
<code>
maven -Dtutorial=4 jetspeed:war
</code>
<hr/>
<p>
Recommend bringing up these configuration files in your editor:
</p>
<p>
<hr/>
<code>
<ul>
<li>1. tutorials/4/JetspeedSecurity.properties.merge</li>
<li>2. tutorials/4/templates/vm/portlets/html/simple-security.vm</li>
<li>3. tutorials/4/anon/html/default.psml</li>
<li>4. tutorials/4/turbine/html/default.psml</li>
<li>5. tutorials/4/t4-portlets.xreg</li>
<li>6. tutorials/4/JetspeedResources.properties.merge</li>
</ul>
</code>
<hr/>
</p>
<p>
since we will reference them in tutorial 4.
</p>
</section>
</body>
</document>
1.1 jakarta-jetspeed/tutorial/xdocs/4/users-roles.xml
Index: users-roles.xml
===================================================================
<?xml version="1.0"?>
<!--
Copyright 2004 The Apache Software Foundation
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<document>
<properties>
<author email="[EMAIL PROTECTED]">David Sean Taylor</author>
<title>Authenticated User</title>
</properties>
<body>
<section name="Authenticated User">
<p>
Jetspeed provides several administrative portlets to manage users, groups, roles and
permissions.
To see them, logon with the username/password = admin/jetspeed.
Click on the Security menu item, and should see something like this:
</p>
<p>
<img border='0' width='553' height='162' src="../images/image004-1.jpg"/>
</p>
<p>
The User Browser allows you to add/edit/delete users,
and associate relationships between users-groups and user-roles.
The other browsers provide add/edit/delete maintenance for roles, groups and
permissions.
</p>
<p>
<img border='0' width='192' height='228' src="../images/image004-2.jpg"/>
</p>
<p>
The user/group association isnt used specifically by the default security system.
User/role associations are used throughout the system to perform role-based security
checks.
A security constraint in Jetspeed is defined between a role and a resource for a
given action (permission).
In this example from a security registry, we are declaring a role-based declarative
security constraint
called <b>requires-accountManager</b>.
</p>
<source>
<![CDATA[
<security-entry name="requires-accountManager">
<meta-info>
<title>Account Manager</title>
<description>Grant full access to Account Manager Role, read
access to Support Role.</description>
</meta-info>
<access action="*">
<allow-if role="accountManager"/>
<allow-if role="admin"/>
</access>
<access action="view">
<allow-if role="guest"/>
</access>
</security-entry>
]]>
</source>
<p>
We are granting full access to users with the role <b>accountManager</b> or
<b>admin</b> for all actions(permissions),
but only granting view access to users with the role <b>guest</b>.
All other users are denied access to the resource protected by this constraint.
</p>
<p>
We will look at how to associate a security registry entry with a portal resource in
the section after next.
</p>
</section>
</body>
</document>
1.1 jakarta-jetspeed/tutorial/xdocs/4/customizer.xml
Index: customizer.xml
===================================================================
<?xml version="1.0"?>
<!--
Copyright 2004 The Apache Software Foundation
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<document>
<properties>
<author email="[EMAIL PROTECTED]">David Sean Taylor</author>
<title>Using the Customizer to Secure Portal Resources</title>
</properties>
<body>
<section name="Using the Customizer to Secure Portal Resources">
<p>
The customizer can be used to secure access to:
</p>
<p>
<ul>
<li>1. Portlet Entries(instances), using the Portlet Customizer</li>
<li>2. Portlet Pages, Panes, or Sets</li>
</ul>
</p>
<p>
The Customizer allows for the editing of the security constraint for any portlet
page, pane or set.
However, the currently logged on user must have the admin role in order to see this
dropdown:
</p>
<p>
<img border='0' width='295' height='239' src="../images/image004-3.jpg"/>
</p>
<p>
The default Portlet Customizer supports the editing of security constraints on any
portlet entry(instance):
</p>
<p>
<img border='0' width='554' height='157' src="../images/image004-4.jpg"/>
</p>
<p>
Portlets can also have security references set, but only the Security ID drop-down
widget is only displayed
if the current user has the admin role. Security refs may also be added directly to
the PSML file with a text editor:
</p>
<source>
<![CDATA[
<portlet-entry name="GroupForm" hidden="false" type="ref"
parent="CustomizerVelocity" application="false">
<security-ref parent="admin-only"/>
]]>
</source>
</section>
</body>
</document>
1.1 jakarta-jetspeed/tutorial/xdocs/4/features.xml
Index: features.xml
===================================================================
<?xml version="1.0"?>
<!--
Copyright 2004 The Apache Software Foundation
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<document>
<properties>
<author email="[EMAIL PROTECTED]">David Sean Taylor</author>
<title>Security Features</title>
</properties>
<body>
<section name="Security Features">
<p>
Jetspeed has a number of configurable security settings.
You can find most of these in the <b>JetspeedSecurity.properties</b> file.
We will cover the ones that will probably be most used in a standard portal
configuration.
</p>
<p>
<b>Programmatic Security</b>
</p>
<p>
Jetspeed can perform programmatic cascade deletes when deleting security objects.
For example, when a user is deleted, all role and group associations will be
automatically deleted with that user. This setting should be set to true for
your database if it doesnt support cascading deletes. You would want to set this to
true for the Hypersonic database.
</p>
<source>
services.JetspeedSecurity.programmatic.cascade.delete = false
</source>
<p>
<b>Secure Passwords</b>
</p>
<p>
Make the password checking secure.
When enabled, passwords are transformed by a one-way function into a sequence of
bytes that is base64 encoded.
When a user logs in, the entered password is transformed the same way and then
compared with stored the value.
The algorithm property lets you choose what digest algorithm will be used for
encrypting passwords.
Check documentation of your JRE for available algorithms.
</p>
<source>
services.JetspeedSecurity.secure.passwords = false
services.JetspeedSecurity.secure.passwords.algorithm = SHA
</source>
<p>
<b>New User Roles</b>
</p>
<p>
When a new user is created, one or more roles can be assigned to that user.
Multiple Role must be comma separated.
</p>
<source>
services.JetspeedSecurity.newuser.roles = user
</source>
<p>
<b>Default Permissions</b>
</p>
<p>
When a security resource has no permissions defined, these are the default
permissions(actions) that are
applied to the security check. The following permissions are defined in the default
Jetspeed installation:
view, customize, minimize, maximize, close, info, detach.
Specifying * denotes all permissions.
The default settings can differ can be set for both anonymous access and
authenticated (logged in) access.
</p>
<source>
services.JetspeedSecurity.permission.default.anonymous=view
services.JetspeedSecurity.permission.default.loggedin=*
</source>
<p>
<b>Case Insensitive Usernames and Passwords</b>
</p>
<p>
These options configure the logon username and password to be case sensitive or
insensitive.
When enabled, the <b>logon.casesensitive.upper</b> property controls whether the
username
and password are converted to upper or lower case before passing them on to the
database.
</p>
<source>
services.JetspeedSecurity.caseinsensitive.username=false
services.JetspeedSecurity.caseinsensitive.password=false
services.JetspeedSecurity.caseinsensitive.upper=true
</source>
<p>
<b>Auto-Account Disable</b>
</p>
<p>
The Auto-Account-Disable Feature combines with the Logon-Strike-Count feature to
disable accounts
that may be under hacker attack. The strike count is over the strike interval.
In the example below, 3 failed logons over five minutes would result in the account
being disabled.
</p>
<source>
services.JetspeedSecurity.logon.auto.disable=false
services.JetspeedSecurity.logon.strike.count=3
services.JetspeedSecurity.logon.strike.interval=300
services.JetspeedSecurity.logon.strike.max=10
</source>
<p>
<b>Password Expiration</b>
</p>
<p>
Number of days until password expires. To disable this feature, set it to 0.
</p>
<source>
services.JetspeedSecurity.password.expiration.period = 0
</source>
<p>
<b>Anonymous User Account</b>
</p>
<p>
The anonymous user is actually stored in the database. The username is configurable.
</p>
<source>
services.JetspeedSecurity.user.anonymous=anon
</source>
<p>
<b>Disabling the Portlet Action Buttons</b>
</p>
<p>
Portlets are decorated with window controls (portlet action buttons).
Some of these (the default) controls display action buttons.
These action buttons can be enabled or disabled for all authenticated users, or for
the anonymous user.
</p>
<source>
services.JetspeedSecurity.actions.anon.disable = true
services.JetspeedSecurity.action.allusers.disable = false
</source>
</section>
</body>
</document>
1.1 jakarta-jetspeed/tutorial/xdocs/4/concepts.xml
Index: concepts.xml
===================================================================
<?xml version="1.0"?>
<!--
Copyright 2004 The Apache Software Foundation
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<document>
<properties>
<author email="[EMAIL PROTECTED]">David Sean Taylor</author>
<title>Jetspeed Security Concepts</title>
</properties>
<body>
<section name="Jetspeed Security Concepts">
<p>
The Jetspeed Security services are defined at the Jetspeed web site:
<a href='http://portals.apache.org/jetspeed-1/security'>here</a>.
It is recommended that you review the concepts there before getting started.
The purpose of portal security is to authenticate users of the portal,
and to authorize access by those users to portal resources.
All security in Jetspeed is defined through pluggable services.
Jetspeed provides a default security policy and services.
The default security service has a user database along with a security constraint
registry.
First lets review the security database and the object model.
</p>
<p>
<b>Jetspeed Security Options:</b>
</p>
<table>
<tr>
<td>
<a
href='http://portals.apache.org/jetspeed-1/apidocs/org/apache/jetspeed/om/security/JetspeedUser.html'>JetspeedUser</a>
</td>
<td>
Defines the minimal attributes of a user in the portal system.
</td>
</tr>
<tr>
<td>
<a
href='http://portals.apache.org/jetspeed-1/apidocs/org/apache/jetspeed/om/security/Role.html'>Role</a>
</td>
<td>
Defines the minimal attributes of a role in the portal system.
</td>
</tr>
<tr>
<td>
<a
href='http://portals.apache.org/jetspeed-1/apidocs/org/apache/jetspeed/om/security/Group.html'>Group</a>
</td>
<td>
Defines the minimal attributes of a group in the portal system.
</td>
</tr>
<tr>
<td>
<a
href='http://portals.apache.org/jetspeed-1/apidocs/org/apache/jetspeed/om/security/Permission.html'>Permission</a>
</td>
<td>
Defines the minimal attributes of a permission in the portal system.
</td>
</tr>
</table>
<p>
The default Jetspeed deployment comes with a populated sample database of users,
roles, groups and permissions.
This database is conveniently distributed with the webapp to simplify the first time
experience.
The database is Hypersonic SQL. For production systems, it is recommended to switch
to a more robust database.
</p>
<p>
The default Security service uses <a href='http://db.apache.org/torque/'>Apache
Torque</a> to manage object-relational mapping of
objects to and from relational tables.
This default service can be configured to work with your own database.
Also see the <a
href='http://portals.apache.org/jetspeed-1/apidocs/org/apache/jetspeed/services/security/ldap/package-summary.html'>LDAP
Security</a> service.
</p>
</section>
</body>
</document>
1.1 jakarta-jetspeed/tutorial/xdocs/4/example.xml
Index: example.xml
===================================================================
<?xml version="1.0"?>
<!--
Copyright 2004 The Apache Software Foundation
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<document>
<properties>
<author email="[EMAIL PROTECTED]">David Sean Taylor</author>
<title>The Security Example Portlet</title>
</properties>
<body>
<section name="The Security Example Portlet">
<p>
Tutorial 4 comes with one portlet, the Security Example portlet.
</p>
<p>
<img border='0' width='554' height='131' src="../images/image004-5.jpg"/>
</p>
<p>
This portlet allows for you to click on four different portal links.
These links were created with the <b>$jslink</b> tool, which is used in templates to
generate links to portal resources.
</p>
<p>
<table>
<tr>
<th>
Link Name
</th>
<th>
Linked Resource
</th>
<th>
Works with Anon
</th>
<th>
Works with Authenticated
</th>
</tr>
<tr>
<td>
Page Requires Admin Role
</td>
<td>
$jslink.setUser('admin')<br/>
link to default admin user page
</td>
<td>
NO
</td>
<td>
NO
</td>
</tr>
<tr>
<td>
Page Requires User Role
</td>
<td>
$jslink.setGroup('apache','news')<br/>
link to apache group, news page
</td>
<td>
NO
</td>
<td>
YES
</td>
</tr>
<tr>
<td>
Page Requires No Role
</td>
<td>
$jslink.setGroup('apache')<br/>
link to default apache group page
</td>
<td>
YES
</td>
<td>
YES
</td>
</tr>
<tr>
<td>
Pane Requires User Role
</td>
<td>
$jslink.getLink($jslink.USER,'anon','default', $jslink.PANE_ID,'105')<br/>
link to anonymous user default page, pane id = 105
</td>
<td>
NO
</td>
<td>
YES
</td>
</tr>
</table>
</p>
<p>
When you test it out, you will see that there is a fifth pane on the anonymous page,
but you cannot see it when you are logged on as the anonymous user.
However, when you logon as the Turbine user, and click on the "Pane Requires User
Role",
then the pane does show up, since the Turbine user does have the User role.
</p>
<p>
The pane in the anonymous page has a security constraint:
</p>
<source>
<![CDATA[
<portlets id="105">
<security-ref parent="user-only"/>
<metainfo>
<title>Secured</title>
</metainfo>
<entry parent="HelloVelocity"/>
</portlets>
]]>
</source>
</section>
</body>
</document>
1.1 jakarta-jetspeed/tutorial/xdocs/4/deploy.xml
Index: deploy.xml
===================================================================
<?xml version="1.0"?>
<!--
Copyright 2004 The Apache Software Foundation
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<document>
<properties>
<author email="[EMAIL PROTECTED]">David Sean Taylor</author>
<title>Deploy</title>
</properties>
<body>
<section name="Deploy">
<p>
To deploy the system type:
</p>
<source>
maven deploy
-- or --
maven hotdeploy
</source>
<p>
Use hotdeploy if you have already deployed the system once.
This simply saves some time in packaging the JPortal deployment.
Next point your browser at:
</p>
<p>
<a
href='http://localhost:8080/jportal/portal'>http://localhost:8080/jportal/portal</a>
</p>
<p>
You should see the new site menus for the anonymous user:
</p>
<p>
<img border='0' width='554' height='131' src="../images/image004-6.jpg"/>
</p>
</section>
</body>
</document>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
