portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ate Douma (JIRA)" <jetspeed-...@portals.apache.org>
Subject [jira] Resolved: (JS2-204) PLT.7.1.2 Portlet URL securit y not implemented and absolute URL rendering
Date Tue, 20 Feb 2007 20:34:06 GMT

     [ https://issues.apache.org/jira/browse/JS2-204?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Ate Douma resolved JS2-204.

       Resolution: Fixed
    Fix Version/s: 2.1-dev

The patch provided for JS2-275 by Santiago more or less resolved this issue already, and it
is now possible to switch between secure mode and non-secure modes, 
although this currently only works using standard port transitions (80->443 and 443->80).
See: https://issues.apache.org/jira/browse/JS2-275#action_12318383 

The solution I originally intended to provide still would be a more complete and generic one,
but has become harder to implement now that there are so many different servlet paths through
which the portal can be invoked. Tthere isn't enough time left before the 2.1 release to start
working on that, and actually I haven't heard anyone asking for it either. 

As we now do have a solution for this issue, this isn't a bug anymore, so I'm closing this

Maybe for a next release we should reconsider if the more generic solution really is needed.
If so, we can create a new enhancement ticket for it. 

> PLT.7.1.2 Portlet URL securit y not implemented and absolute URL rendering
> --------------------------------------------------------------------------
>                 Key: JS2-204
>                 URL: https://issues.apache.org/jira/browse/JS2-204
>             Project: Jetspeed 2
>          Issue Type: Bug
>          Components: Container, ContentServer, Profiling/Portal Navigation
>    Affects Versions: 2.0-dev/cvs
>            Reporter: Ate Douma
>         Assigned To: Ate Douma
>             Fix For: 2.1, 2.1-dev
> PLT.7.1.2 PortletURL security
> -----------------------------
> The PortalURL doesn't yet honor a request for the explicit generation of secure or non-secure
PortletURLs as required by the Portlet Specification.
> Whatever the setting, a non-secure url is always generated.
> I will implement this requirement using the same solution as provided by Jeremy Boyes
for the Pluto PortalDriver.
> See: http://issues.apache.org/jira/browse/PLUTO-82.
> This solution will use two different Servlet Mappings in web.xml for the JetspeedServlet:
a non-secure (what we have now already: /portal/*) and a secure (/secure/portal/*).
> For the secure mapping a security-constraint with transport-garantee CONFIDENTIAL will
be defined, effectively securing any access through this mapping.
> These mappings are, and also need be, defined in WEB-INF/conf/jetspeed.properties too.
> The AbstractPortalURL will read these properties to determine which path to use for secure
and non-secure PortletURLs.
> Note, these paths will *only* be used when a secure url must be generated while the current
request is not, or visa versa.
> This means, other mappings can still be used (we have also a /jetspeed/* mapping defined
although I don't know why or if it is needed anymore) as long as there isn't a switch from
secure to non-secure or visa versa.
> Absolute URL Rendering
> ----------------------
> Another problem the above solution will partly solve is the current absolute URL rendering
(including the Scheme, ServerName and Portnummer in an URL) which poses problems with Proxy
configurations as has been recently been reported on the list by Scott Heaberlin.
> By using different mappings for the secure and non-secure access we don't need to prefix
the urls with a HTTP:// or HTTPS:// scheme anymore.
> I will also remove the Scheme, Servername and Portnummer encoding in url generation as
currently is done by the JetspeedPowerTool, JetspeedVelocityViewServlet and the ContentLocatingRequestWrapper
of the ContentServer.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org

View raw message