Hi, I am using Jetspeed1.3.1b. This seems to be a security hole that one can see others portlets just by forming a URL without knowing password.
One of the portlet, for user 'turbine', is HelloVelocity which would say 'Hello' message for a given text in this portlet's textbox. If I give the following URL (got this url from HelloVelocity portlets's FORM tag) directly in the browser's URL tab, I am able to see all of the portlets of 'turbine' user (but without Min. Max. Close...controls). Also HelloVelocity portlet displays with the text that I specified in the URL. This is happening even after I, - logged out of Turbine user session, - opened a new browser instance, - restart the Webserver. http://localhost:8080/jetspeed/portal/user/turbine/page/default.psml/template/Home?text=Srini&eventSubmit_doUpdate=Update When I logged in as a user 'turbine' properly, I am able to see the Hello message with the text that was given before in the URL directly. When I walk through Jetspeed 'TemplateSessionValidator' class, I see the following lines in doPerform() method, ..... ..... // The user may have not logged in, so create a "guest" user. if ( data.getUser() == null) { data.setUser(JetspeedSecurity.getAnonymousUser()); data.save(); } ..... ..... So I guess user Turbine's portlets are executed as a Anonymous user (this may be reason for showing portlets without any controls). Any solution to fix this problem? Thanks in Advance, Srini.K __________________________________________________ Do you Yahoo!? Faith Hill - Exclusive Performances, Videos & More http://faith.yahoo.com -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
