Security Features

Jetspeed has a number of configurable security settings. You can find most of these in the JetspeedSecurity.properties file. We will cover the ones that will probably be most used in a standard portal configuration.

Programmatic Security

Jetspeed can perform programmatic cascade deletes when deleting security objects. For example, when a user is deleted, all role and group associations will be automatically deleted with that user. This setting should be set to true for your database if it doesnt support cascading deletes. You would want to set this to true for the Hypersonic database.

services.JetspeedSecurity.programmatic.cascade.delete = false  

Secure Passwords

Make the password checking secure. When enabled, passwords are transformed by a one-way function into a sequence of bytes that is base64 encoded. When a user logs in, the entered password is transformed the same way and then compared with stored the value. The algorithm property lets you choose what digest algorithm will be used for encrypting passwords. Check documentation of your JRE for available algorithms.

services.JetspeedSecurity.secure.passwords = false
services.JetspeedSecurity.secure.passwords.algorithm = SHA

New User Roles

When a new user is created, one or more roles can be assigned to that user. Multiple Role must be comma separated.

services.JetspeedSecurity.newuser.roles = user

Default Permissions

When a security resource has no permissions defined, these are the default permissions(actions) that are applied to the security check. The following permissions are defined in the default Jetspeed installation: view, customize, minimize, maximize, close, info, detach. Specifying * denotes all permissions. The default settings can differ can be set for both anonymous access and authenticated (logged in) access.

services.JetspeedSecurity.permission.default.anonymous=view
services.JetspeedSecurity.permission.default.loggedin=*

Case Insensitive Usernames and Passwords

These options configure the logon username and password to be case sensitive or insensitive. When enabled, the logon.casesensitive.upper property controls whether the username and password are converted to upper or lower case before passing them on to the database.

services.JetspeedSecurity.caseinsensitive.username=false
services.JetspeedSecurity.caseinsensitive.password=false
services.JetspeedSecurity.caseinsensitive.upper=true

Auto-Account Disable

The Auto-Account-Disable Feature combines with the Logon-Strike-Count feature to disable accounts that may be under hacker attack. The strike count is over the strike interval. In the example below, 3 failed logons over five minutes would result in the account being disabled.

services.JetspeedSecurity.logon.auto.disable=false
services.JetspeedSecurity.logon.strike.count=3
services.JetspeedSecurity.logon.strike.interval=300
services.JetspeedSecurity.logon.strike.max=10

Password Expiration

Number of days until password expires. To disable this feature, set it to 0.

services.JetspeedSecurity.password.expiration.period = 0

Anonymous User Account

The anonymous user is actually stored in the database. The username is configurable.

services.JetspeedSecurity.user.anonymous=anon

Disabling the Portlet Action Buttons

Portlets are decorated with window controls (portlet action buttons). Some of these (the default) controls display action buttons. These action buttons can be enabled or disabled for all authenticated users, or for the anonymous user.

services.JetspeedSecurity.actions.anon.disable = true
services.JetspeedSecurity.action.allusers.disable = false