On Jul 28, 2009, at 8:20 AM, Deepak Kaimal wrote:
We are in the process of trying to integrate Jetspeed2 with OpenSSO
for both Authentication (SSO) and Authorization. We have been
successful in the authentication piece, but I have not been able to
figure out how to switch out the authorization piece.
We are trying to get Jetspeed2 to delegate authorization checks for
a portlet action (View, Configure etc.) to OpenSSO before the
portlet is rendered on the page. In the process of analyzing the
code, I was able to make certain changes to the
org.apache.jetspeed.security.impl.SecurityAccessControllerImpl class
in the checkPortletAccess() method. This however, causes the portlet
to be visible or not visible while adding it to the page. Once the
portlet is added to the page, control no longer comes to this
method. Which means that access to the portlet cannot be turned off
in openSSO.
I have a feeling that I am barking up the wrong tree here. Could
anyone point me in the right direction to look?
The SecurityAccessController delegates its security checks.
Looking at the SecurityAccessController default impl:
public boolean checkPortletAccess(PortletDefinition portlet, int
mask)
{
if (portlet == null)
return false;
if (securityMode == SecurityAccessController.CONSTRAINTS)
{
String constraintRef =
portlet.getJetspeedSecurityConstraint();
if (constraintRef == null)
{
constraintRef =
((PortletApplication
)portlet.getApplication()).getJetspeedSecurityConstraint();
if (constraintRef == null)
{
return true; // allow access
}
}
String actions = JetspeedActions.getContainerActions(mask);
return pageManager.checkConstraint(constraintRef, actions);
}
else
{
try
{
AccessController .checkPermission
((Permission
)pf.newPermission(pf.PORTLET_PERMISSION,portlet.getUniqueName(),
mask));
}
catch (AccessControlException ace)
{
return false;
}
return true;
}
}
There are two Security Authorization implementations in Jetspeed:
1. Security Constraints - authorization checks are made against
constraints associated with portal resources (pages, folders)
2. Java Security Policy - authorization checks are made against
Jetspeed's standard Java Security Policy
You can see in the code above where the SecurityAccessController
checks its configuration, and delegates to either the constraints or
policy authorization implementation.
<!--
Security Mode:
1 = Permissions = use Jetspeed Java Security Policy
2 = Constraints = use Jetspeed (PageManager) Constraint-based
Security
-->
<constructor-arg index="2">
<value>${portal.core.security.type}</value>
</constructor-arg>
So you need to look at the jetspeed.properties for the
portal.core.security.type setting:
#1 = Permissions = use Jetspeed Java Security Policy
#2 = Constraints = use Jetspeed (PageManager) Constraint-based
Securityportal.core.security.type=2
I don't recommend editing jetspeed.properties directly, but instead
using the override.properties as described here:
http://portals.apache.org/jetspeed-2/deployguide/jetspeed-properties.html
http://portals.apache.org/jetspeed-2/deployguide/override-properties.html
You can read more about constraints vs permissions here:
http://portals.apache.org/jetspeed-2/deployguide/security-config.html
