portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Sean Taylor" <da...@bluesunrise.com>
Subject RE: Securing VelocityPortlet actions
Date Mon, 14 Oct 2002 16:09:09 GMT
> -----Original Message-----
> From: Mark Orciuch [mailto:mark_orciuch@ngsltd.com]
> Sent: Monday, October 14, 2002 8:49 AM
> To: Jetspeed Developers List
> Subject: RE: Securing VelocityPortlet actions
>
>
> David,
>
> No, I don't have any insight for you yet but I'm trying to make sure I
> understand your intent here. You want to secure portlet and its action as
> one (i.e. portlet action should always use security of the portlet it is
> associated with), right? And you don't want to do something like
> that in the
> base action class:
>
> JetspeedSecurity.checkPermission(rundata,
> JetspeedSecurity.PERMISSION_VIEW,
> portlet);

Exactly, but I can't get to the 3rd parameter 'portlet' - it should be soooo
easy but its not

>
> Whatever we come up with, has to be done with JspPortletAction as
> well. What

+1

> about securing non-portlet actions? Perhaps these actions should become
> another type of portal resource and extend JetspeedAction which, in turn,
> would be responsible for checking PERMISSION_EXECUTE.

Yes, 'normal' turbine actions also need to be secured.
PERMISSION_EXECUTE, yes, that may work. I was thinking of just hooking into
the current mode (view, customize), but yes, I like execute permission.
+1 on adding it


>
> Best regards,
>
> Mark C. Orciuch
> Next Generation Solutions, Ltd.
> e-Mail: mark_orciuch@ngsltd.com
> web: http://www.ngsltd.com
>
>
> > -----Original Message-----
> > From: David Sean Taylor [mailto:david@bluesunrise.com]
> > Sent: Friday, October 11, 2002 11:50 PM
> > To: Jetspeed Developers List
> > Subject: Securing VelocityPortlet actions
> >
> >
> > I'd like to use the Jetspeed Security registry for securing access to
> > Velocity portlet actions.
> > I believe that Velocity portlet action events are very big
> > security hole in
> > Jetspeed, and it should be fairly simple to plug it, one would think.
> > A few weeks ago I reviewed the code, and it was the same old
> situation: we
> > are in the action, but do we have access to the portlet....
> >
> > To make a long story short, I failed to get access to the portlet in the
> > action when I needed it -- when an action event kicks off, it
> doesn't know
> > about its portlet. Correct me if Im wrong....I can just hear
> Raphael "its
> > easy, just do this..." and I hope he does, really.
> >
> > But since the action kicks off before the instance is created,
> > its even more
> > difficult to get the portlet instance security-ref.
> >
> > Any insight on how to get the security constraints during an
> action event?
> > I would like to put this code in one of the base classes. I don't
> > want to be
> > checking security in each and everyone of my action events.
> >
> >
> >
> > --
> > To unsubscribe, e-mail:
> > <mailto:jetspeed-dev-unsubscribe@jakarta.apache.org>
> > For additional commands, e-mail:
> > <mailto:jetspeed-dev-help@jakarta.apache.org>
>
>
> --
> To unsubscribe, e-mail:
<mailto:jetspeed-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail:
<mailto:jetspeed-dev-help@jakarta.apache.org>



--
To unsubscribe, e-mail:   <mailto:jetspeed-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:jetspeed-dev-help@jakarta.apache.org>


Mime
View raw message