Jetspeed has a number of configurable security settings. You can find most of these in the JetspeedSecurity.properties file. We will cover the ones that will probably be most used in a standard portal configuration.
Programmatic Security
Jetspeed can perform programmatic cascade deletes when deleting security objects. For example, when a user is deleted, all role and group associations will be automatically deleted with that user. This setting should be set to true for your database if it doesnt support cascading deletes. You would want to set this to true for the Hypersonic database.
services.JetspeedSecurity.programmatic.cascade.delete = false
Secure Passwords
Make the password checking secure. When enabled, passwords are transformed by a one-way function into a sequence of bytes that is base64 encoded. When a user logs in, the entered password is transformed the same way and then compared with stored the value. The algorithm property lets you choose what digest algorithm will be used for encrypting passwords. Check documentation of your JRE for available algorithms.
services.JetspeedSecurity.secure.passwords = false services.JetspeedSecurity.secure.passwords.algorithm = SHA
New User Roles
When a new user is created, one or more roles can be assigned to that user. Multiple Role must be comma separated.
services.JetspeedSecurity.newuser.roles = user
Default Permissions
When a security resource has no permissions defined, these are the default permissions(actions) that are applied to the security check. The following permissions are defined in the default Jetspeed installation: view, customize, minimize, maximize, close, info, detach. Specifying * denotes all permissions. The default settings can differ can be set for both anonymous access and authenticated (logged in) access.
services.JetspeedSecurity.permission.default.anonymous=view services.JetspeedSecurity.permission.default.loggedin=*
Case Insensitive Usernames and Passwords
These options configure the logon username and password to be case sensitive or insensitive. When enabled, the logon.casesensitive.upper property controls whether the username and password are converted to upper or lower case before passing them on to the database.
services.JetspeedSecurity.caseinsensitive.username=false services.JetspeedSecurity.caseinsensitive.password=false services.JetspeedSecurity.caseinsensitive.upper=true
Auto-Account Disable
The Auto-Account-Disable Feature combines with the Logon-Strike-Count feature to disable accounts that may be under hacker attack. The strike count is over the strike interval. In the example below, 3 failed logons over five minutes would result in the account being disabled.
services.JetspeedSecurity.logon.auto.disable=false services.JetspeedSecurity.logon.strike.count=3 services.JetspeedSecurity.logon.strike.interval=300 services.JetspeedSecurity.logon.strike.max=10
Password Expiration
Number of days until password expires. To disable this feature, set it to 0.
services.JetspeedSecurity.password.expiration.period = 0
Anonymous User Account
The anonymous user is actually stored in the database. The username is configurable.
services.JetspeedSecurity.user.anonymous=anon
Disabling the Portlet Action Buttons
Portlets are decorated with window controls (portlet action buttons). Some of these (the default) controls display action buttons. These action buttons can be enabled or disabled for all authenticated users, or for the anonymous user.
services.JetspeedSecurity.actions.anon.disable = true services.JetspeedSecurity.action.allusers.disable = false