[jira] Resolved: (APA-42) Security access control options in reverse proxy portlet components.

Mon, 19 Jul 2010 18:26:46 -0700 

     [ 
https://issues.apache.org/jira/browse/APA-42?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Woonsan Ko resolved APA-42.
---------------------------

    Resolution: Fixed

Fixed.

- Commented out all apache site examples and removed all secured apache site 
examples.
  So, the portal zone cannot have those reverse proxy examples to apache sites 
any more.
- Instead, added a local portal mission page and changed the default example to 
do reverse proxying to this local page.
- Added an option to check security roles on reverse proxy path resources.
  If allowed roles are configured on a reverse proxy pass, then it will check 
if the request user is in the specified roles.
  The default implementation is to simply use 
HttpServletRequest#isUserInRole(role).
  However, a custom implementation can be provided in the configuration.
  Also, a custom reverse proxy request context provider can be overriden via 
request or session, which means a frontend filter or portlet could provide its 
own provider implementation.
- Portal site documentation has been updated.


> Security access control options in reverse proxy portlet components.
> --------------------------------------------------------------------
>
>                 Key: APA-42
>                 URL: https://issues.apache.org/jira/browse/APA-42
>             Project: Portals Apps
>          Issue Type: Bug
>          Components: apa-webcontent
>    Affects Versions: apa-webcontent-1.1
>            Reporter: Woonsan Ko
>            Assignee: Woonsan Ko
>             Fix For: apa-webcontent-1.2
>
>
> The default examples of the reverse proxy servlet and reverse proxy iframe 
> portlet have the following problems:
> - Many URLs could be accidentally being indexed
> - Some proxied urls could prompts for credentials, over HTTP, which brings 
> security issues.
> I think the followings could be provided:
> - The default proxy target url examples should be from the local application 
> for a demo. (Not from an external target site.)
> - Add a security authentication/authorization checking option for each proxy 
> site.
> - Add a portlet driven reverse proxy servlet which extends the default 
> reverse proxy servlet
>   and add a portlet integrated security authentication/authorization checking 
> option.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to