Re: Jetspeed Authorization

On Jul 28, 2009, at 8:20 AM, Deepak Kaimal wrote:

> We are in the process of trying to integrate Jetspeed2 with OpenSSO  
> for both Authentication (SSO) and Authorization. We have been  
> successful in the authentication piece, but I have not been able to  
> figure out how to switch out the authorization piece.
>
> We are trying to get Jetspeed2 to delegate authorization checks for  
> a portlet action (View, Configure etc.) to OpenSSO before the  
> portlet is rendered on the page. In the process of analyzing the  
> code, I was able to make certain changes to the  
> org.apache.jetspeed.security.impl.SecurityAccessControllerImpl class  
> in the checkPortletAccess() method. This however, causes the portlet  
> to be visible or not visible while adding it to the page. Once the  
> portlet is added to the page, control no longer comes to this  
> method. Which means that access to the portlet cannot be turned off  
> in openSSO.
>
> I have a feeling that I am barking up the wrong tree here. Could  
> anyone point me in the right direction to look?


The SecurityAccessController delegates its security checks.
Looking at the SecurityAccessController default impl:

    public boolean checkPortletAccess(PortletDefinition portlet, int
mask)
    {
        if (portlet == null)
            return false;
        if (securityMode == SecurityAccessController.CONSTRAINTS)
        {
            String constraintRef =   
portlet.getJetspeedSecurityConstraint();
            if (constraintRef == null)
            {
                constraintRef =   
((PortletApplication 
 )portlet.getApplication()).getJetspeedSecurityConstraint();
                if (constraintRef == null)
                {
                    return true; // allow access
                }
            }
            String actions = JetspeedActions.getContainerActions(mask);
            return pageManager.checkConstraint(constraintRef, actions);
        }
        else
        {
            try
            {
		AccessController .checkPermission  
((Permission 
 )pf.newPermission(pf.PORTLET_PERMISSION,portlet.getUniqueName(),  
mask));
            }
            catch (AccessControlException ace)
            {
                return false;
            }
            return true;
        }

    }

There are two Security Authorization implementations in Jetspeed:

1. Security Constraints - authorization checks are made against
constraints associated with portal resources (pages, folders)
2. Java Security Policy - authorization checks are made against
Jetspeed's standard Java Security Policy

You can see in the code above where the SecurityAccessController
checks its configuration, and delegates to either the constraints or
policy authorization implementation.

    <!--
      Security Mode:
      1 = Permissions = use Jetspeed Java Security Policy
      2 = Constraints = use Jetspeed (PageManager) Constraint-based   
Security
    -->
    <constructor-arg index="2">
      <value>${portal.core.security.type}</value>
    </constructor-arg>

So you need to look at the jetspeed.properties for the   
portal.core.security.type setting:

#1 = Permissions = use Jetspeed Java Security Policy
#2 = Constraints = use Jetspeed (PageManager) Constraint-based  
Securityportal.core.security.type=2

I don't recommend editing jetspeed.properties directly, but instead
using the override.properties as described here:

http://portals.apache.org/jetspeed-2/deployguide/jetspeed-properties.html
http://portals.apache.org/jetspeed-2/deployguide/override-properties.html

You can read more about constraints vs permissions here:

http://portals.apache.org/jetspeed-2/deployguide/security-config.html