File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Portals and Portlets and the fly likes liferay 5.2.3 portlet security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Portals and Portlets
Bookmark "liferay 5.2.3 portlet security" Watch "liferay 5.2.3 portlet security" New topic

liferay 5.2.3 portlet security

Jason Mayer
Ranch Hand

Joined: Oct 16, 2007
Posts: 31
I recently wrote a portlet for liferay using spring mvc. I was told recently that my security is not quite correct, however. I was having the admins configure who could add the portlet through the configuration menu, but that doesn't prevent someone from adding a portlet to the public page of a community and possibly leaking privileged information.

in my portlet.xml i have the following entry

and in my liferay-portlet.xml

The role mapper contains two fields, the role-link, which is the Liferay role, and the role-name, which is what maps to the portlet.xml security-role-ref mapping. Now, the way I understand it, anyone with the Liferay Role "HR Employee" should be able to see the portlet, however, anyone who does not have that role should see an error message about the lack of sufficient roles (or possibly a "portlet has been undeployed" message depending on the settings for Liferay). Do I need to add a security-role mapping to the web.xml similar to this that I just found on an old jboss page(
M Plukas

Joined: Oct 02, 2011
Posts: 1
>"the way I understand it..."
No, you understanding is not right. For JavaEE security roles to have any effect, your portlet must check and enforce them.
This should be helpful overview of the JSR-286 (JSR-168) security system and Liferay's own permission system
In particular, if you want to control "who could add the portlet through the configuration menu", see permissions for <portlet-resources>.
Jason Mayer
Ranch Hand

Joined: Oct 16, 2007
Posts: 31
Thanks, I guess I should have updated my thread a year ago or so when I finally came to that answer.

In the case of anyone else who comes along via google, I believe the following is what's needed to prevent guests from seeing the portlet. Please correct me if I'm wrong. This needs to be in a file under WEB-INF/classes/resource-actions if I recall correctly.

I agree. Here's the link:
subject: liferay 5.2.3 portlet security
It's not a secret anymore!