Marina,
There are two different Roles/Groups/Users domains in effect: Tomcat's and Jetspeed's. Jetspeed has its own JAAS login/logout that is managed separately from the global Tomcat configuration, (see jetspeed.xml for the JAAS Realm definition). Configuration of Tomcat's Realm is only necessary for running the manager/admin application to deploy portlet webapps.
I am not sure why your Tomcat security configuration did not control access to the Jetspeed application as a whole, (I am not an expert there to say the least; I've never had to use that believe it or not).
To use the portlet security, you'll probably need to configure the Jetspeed realm correctly or use the demo logins. Like I said, I am not sure portlet security is implemented at this time, YMMV. See the populate-userinfo-for-default-psml.sql script.
For page level security, see the demo psml pages under jetspeed/WEB-INF/pages. No document on this stuff yet... it is very new and still settling in.
I will mail a PDF version of the profiling document to you in few minutes.
Randy
Marina wrote:
Randy, Thanks a lot for your response.
I indeed have more specific question on the security
setup in J2. I should note right away that I apologize if these
questions are answered in the documentation you
mentioned - I was not able to read it as it seems to
be in the .sxw format (StarOffice, I think ?). Any
idea how to convert them into some other format if I
don't have StarOffice readily available?
Now to my questions. I'm trying to do a very common thing: require a user to log in when he access the portal for the first time, and then show only those portlets that this user is authorized to see, and give him only those access rights to some functionality (buttons, links in the portlets) that he is authorized to do.
First of, I was not sure how to limit access to the portal as a whole - usually you do that kind of thing in the web.xml descriptor of the web application. I guess that would be the $TOMCAT_HOME/webapps/jetspeed/WEB-INF/web.xml But then, would not it be overwritten when Jetspeed is redeployed using the Maven build scripts? And what <url-pattern> would I have to specify - /jetspeed/* or something like that?
Anyway, I decided to try to protect the main portlet as the first step. In my potlet's web.xml I specified: <security-constraint> <web-resource-collection> <web-resource-name>Secure EventCalendar </web-resource-name> <url-pattern>/EventsCalendarPortlet/* </url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>dce_admin</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> </login-config> <security-role> <role-name>dce_admin</role-name> </security-role>
and I have a corresponding role defined in the tomcat-users.xml: <role rolename="dce_admin"/> <user username="dce_admin" password="some_password" roles="dce_admin"/>
Since I could not find any Jetspeed-specific information on specifying security constraints for individual portlets, I just used the Portlet Specification as the guide and added this to the portlet's portlet.xml:
<security-role-ref> <role-name>dce_admin</role-name> <role-link>dce_admin</role-link> </security-role-ref>
The EventsCalendarPortlet got deployed into J2 just fine, but it was displayed in the portal without prompting me for any username/password.
If you could give me any pointers as to what I'm missing and what would the main steps be to achieve what I'm trying to do it would be great!
Sorry for such a long e-mail,
thanks! Marina
--- Randy Watler <[EMAIL PROTECTED]> wrote:
http://portals.apache.org/jetspeed-1/security.html#Registry_Access_ContrMP,
I am more or less responsible for the J2 profiling and security features.
There is some documentation in the J2 design-docs under the profiler directory, (pull from CVS).
Also the demo configuration for user/user, (username=user, password=user), uses profiling extensively to customize its view and security to limit its access to the admin pages/portlets.
BTW, this functionality is page based, not portlet based. Portlet security constraints can be specified in the portlet.xml, but I am not sure if they are 100% implemented at this point.
Feel free to send more specific J2 questions to the list.
HTH,
Randy Watler
-----Original Message----- From: M P To: Jetspeed Users List Sent: 11/27/04 12:10 PM Subject: Re: jetspeed-newbie Roles-Groups-Users
Hi, David,
The documentation you mentioned is for Jetspeed 1. Is it also true for Jetspeed2? If not - could you point me to where I could find it for J2? I looked through all documentation on the J2 home page and Wikis and could not find anything on how to control access to specific portlets based on user roles/ groups.
Thank you! Marina
--- David Sean Taylor <[EMAIL PROTECTED]> wrote:
andThilina wrote:
etc........Hi, I need to do following thing using the jetspeed,
Creating......
3 roles - Admin, Executive, Developer
2 Groups - Administration, Users
100 of users - CEO,CFO,admin, aaa, bbb, ccc,
Setting............Group
Admin and Executive belongs to Administrative
information.Developer belongs to Users Group
CEO and CFO are Executive Roles admin user is belongs to Admin role aaa, bbb, ccc, etc.... belongs to Developer role
Users group only have rights to view the
Admin role have all the control except viewingsome confidential
information such as Banking and Financeinformation. Only CEO and CFO
have rights to access those information.
Admin could lock and unlock account except CEO
CFO.Browser"
Is this kind of activity achieve using jetspeed1.5?
Yes. To see the User Admin, go here:
http://wwww.bluesunrise.com/jetspeed
login as user = admin, pw = (sendme an email personally to get it)
Go to the security tab, and then "Security
Here you can see how to setup security constraints
You will also see how to administer roles, groups and users here.
Also, docs are here:
ol---------------------------------------------------------------------
-- David Sean Taylor Bluesunrise Software [EMAIL PROTECTED] [office] +01 707 773 4646 [mobile] +01 707 529 9194
---------------------------------------------------------------------To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
__________________________________ Do you Yahoo!? The all-new My Yahoo! - Get yours free! http://my.yahoo.com
To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
__________________________________ Do you Yahoo!? Take Yahoo! Mail with you! Get it on your mobile phone. http://mobile.yahoo.com/maildemo
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
