• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • Ron McLeod
  • Jeanne Boyarsky
  • Paul Clapham
Sheriffs:
  • Liutauras Vilda
  • Henry Wong
  • Devaka Cooray
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Al Hobbs
  • Carey Brown
Bartenders:
  • Piet Souris
  • Mikalai Zaikin
  • Himai Minh

liferay 5.2.3 portlet security

 
Ranch Hand
Posts: 31
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I recently wrote a portlet for liferay using spring mvc. I was told recently that my security is not quite correct, however. I was having the admins configure who could add the portlet through the configuration menu, but that doesn't prevent someone from adding a portlet to the public page of a community and possibly leaking privileged information.

in my portlet.xml i have the following entry

and in my liferay-portlet.xml


The role mapper contains two fields, the role-link, which is the Liferay role, and the role-name, which is what maps to the portlet.xml security-role-ref mapping. Now, the way I understand it, anyone with the Liferay Role "HR Employee" should be able to see the portlet, however, anyone who does not have that role should see an error message about the lack of sufficient roles (or possibly a "portlet has been undeployed" message depending on the settings for Liferay). Do I need to add a security-role mapping to the web.xml similar to this that I just found on an old jboss page(http://docs.jboss.org/jbossas/jboss4guide/r1/html/ch8.chapter.html)?
 
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
>"the way I understand it..."
No, you understanding is not right. For JavaEE security roles to have any effect, your portlet must check and enforce them.
This should be helpful overview of the JSR-286 (JSR-168) security system and Liferay's own permission system
http://www.liferay.com/documentation/liferay-portal/6.0/development/-/ai/security-and-permissions
In particular, if you want to control "who could add the portlet through the configuration menu", see permissions for <portlet-resources>.
 
Jason Mayer
Ranch Hand
Posts: 31
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks, I guess I should have updated my thread a year ago or so when I finally came to that answer.

In the case of anyone else who comes along via google, I believe the following is what's needed to prevent guests from seeing the portlet. Please correct me if I'm wrong. This needs to be in a file under WEB-INF/classes/resource-actions if I recall correctly.

 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic