On Sun, Feb 7, 2010 at 4:51 PM, <[email protected]> wrote:
> Is security constraint enforcement implemented for portlets?
>
> Yes. This question was answered on Jan 21, 2010, I will re-paste it in:
Finally, as a last resort/catch-all handling, you can also enforce security
constraints checking at render time.
If enabled (default: false), a portlet which is not accessible to be viewed
by the user, regardless the current page or fragment, will not be rendered
and an "Access Denied" error message will be rendered instead.
To enable this feature, you'll have to change a Spring configuration setting
in WEB-INF/assembly/aggregation.xml.
Find bean with id="org.apache.jetspeed.aggregator.PortletRenderer" and
change the 4th constructor-arg element from false -> true
(see also inline comment in the bean definition)
<!-- Portlet Renderer -->
<bean id="org.apache.jetspeed.aggregator.PortletRenderer"
class="org.apache.jetspeed.aggregator.impl.PortletRendererImpl"
init-method="start" destroy-method="stop">
<meta key="j2:cat" value="default" />
<constructor-arg>
<ref bean="org.apache.pluto.PortletContainer" />
</constructor-arg>
<constructor-arg>
<ref bean="org.apache.jetspeed.aggregator.WorkerMonitor" />
</constructor-arg>
<constructor-arg>
<ref bean="PortalStatistics" />
</constructor-arg>
<constructor-arg>
<ref bean="org.apache.jetspeed.aggregator.PortletTrackingManager" />
</constructor-arg>
<!-- flag indicating whether to check jetspeed-portlet.xml security
constraints
before rendering a portlet. If security check fails, do not display
portlet content
-->
<constructor-arg type="boolean">
<value>true</value>
</constructor-arg>
<constructor-arg>
<ref bean="org.apache.jetspeed.security.SecurityAccessController" />
</constructor-arg>
<constructor-arg>
<ref bean="portletContentCache" />
</constructor-arg>
</bean>
NOTE: The Portlet Selector filters out portlets based on security constraint
checks as well
