Security Constraints are applied to pages and folders. Security Constraints either grant or deny access to pages and folders. Constraints can be defined in one or all of these four places:
Grants are associated with permissions, authorizing, or granting, a principal list access to a page or folder. A granting security constraint is the association of a list of one or more security principals combined with one or more permissions. Grant constraints grant access to a page or folder for the associated list of permissions.
A deny security constraint is declared with one or more security principals; with no associated permissions. Deny constraints prohibit access to the page or folder for the given list of principals. Note that deny constraints must be listed before grant constraints.
When working with pages and folder resource constraints, a constraint can be either a declarative constraint or a referential constraint. Declarative constraints are declared and put to use right in place for the particular page or folder resource. Where as referential constraints refer to a constraint declared in a centralized security constraint resource: the page.security file. Each site or subsite can have one page.security resource for declaring constraints to be referenced in any page or folder.
A security constraint is an XML element found in a PSML file, a folder metadata file, or in the global security declarations. A security constraint has one attribute: the name. A security constraint has the following elements:
The first four elements (roles, groups, users, owner) all define the principals who will either have a permission granted or denied.
Permissions are the portal modes that are granted by the security constraint. Note that permissions are only granted, not denied. The view permission is similiar to the read permission found in operating systems. The edit permission is similiar to the write permission found in operating systems. The help permission is similiar to the info permission found in some portals.
Constraints can be granted to one or more role principals for a set of permissions on a given resource. Roles are derived from the authorized users list of role principals, i.e. the roles that the user is a member of. If the authorized user is a member of any of the listed roles, the permission to the resource will be granted.
<security-constraint> <roles>adminstrator, manager</roles> <permissions>view, edit</permissions> </security-constraint>
<security-constraint> <roles>adminstrator, manager</roles> </security-constraint>
Constraints can be granted to one or more group principals for a set of permissions on a given resource. Groups are derived from the authorized users list of group principals, i.e. the groups that the user is a member of. If the authorized user is a member of any of the listed groups, the permission to the resource will be granted.
<security-constraint> <groups>accounting, development</groups> <permissions>view</permissions> </security-constraint>
<security-constraint> <groups>accounting, development</groups> </security-constraint>
Constraints can be granted to one or more user principals for a set of permissions on a given resource: The current user must be one of the listed principals in the comma-separated list in order to grant permission to the resource.
<security-constraint> <users>joey, deedee, johnny</users> <permissions>view, edit, help</permissions> </security-constraint>
<security-constraint> <users>fred</users> </security-constraint>
Note that you can grant or deny permissions to a collection of one or more principal types. For example, here we grant view and edit permissions to the roles (manager, developer), and to the groups (QA and Research), and to the particular user (dilbert): If the authorized user is a member of any of the listed roles, groups, or users, the permission to the resource will be granted.
<security-constraint> <roles>hacker, coder, guru</roles> <groups>unix, linux, freebsd</groups> <users>betty, fred, barney, wilma</users> <permissions>view, edit</permissions> </security-constraint>
Constraints can also deny combinations of principals access to the entire resource. If the authorized user is a member of any of the listed groups, roles or users, all access to the resource is denied.
<security-constraint> <roles>hacker, coder, guru</roles> <groups>unix, linux, freebsd</groups> <users>betty, fred, barney, wilma</users> </security-constraint>
Declarative constraints are defined in the page.security file of the root of a site. Declarative constraints are referenced in pages and folders with the security-constraints-ref tag. Global constraints are also declarative constraints. They are also defined and found in the page.security file in the root PSML repository. The difference with global constraints is that they implicitly apply to all folders and pages within the scope of the page.security file, (i.e. the site). Note that there can be only one page.security file in a Jetspeed installation.
<security-constraints-def name="admin"> <security-constraint> <roles>admin</roles> <permissions>view, edit</permissions> </security-constraint> </security-constraints-def> <global-security-constraints-ref>admin</global-security-constraints-ref>
In addition to constraint reference by name, the security-constraints-ref and global-security-constraints-ref tags accept logical expressions with constraint reference operands to express more complex grants. Expressions are normally employed when the default "OR" grant logic of security constraints lists becomes awkward or alternative logic such as "AND" or "NOT" is required.
<global-security-constraints-ref>admin and noc</global-security-constraints-ref>
<security-constraints-ref>(support || engineering) && !marketing</security-constraints-ref>
Several security constraint declarations are made in the default deployment of Jetspeed:
name | grants | permissions | global |
---|---|---|---|
admin | roles: admin | view, edit | yes |
manager | roles: manager | view | no |
users | roles: user, manager | view | no |
public-view | users: * | view | no |
public-edit | users: * | view, edit | no |
Folder Security constraints are placed in a
<security-constraints> <security-constraints-ref>public-view</security-constraints-ref> <security-constraint> <groups>engineering</groups> <permissions>view</permissions> </security-constraint> </security-constraints>
Note that all security constraints must be placed within a security-constraints collection.
Page Security constraints are placed
<security-constraints> <security-constraints-ref>global-view</security-constraints-ref> <security-constraint> <groups>accounting</groups> <permissions>view, edit</permissions> </security-constraint> </security-constraints>
Note that all security constraints must be placed within a security-constraints collection.
As with Page Security constraints, Fragment Security constraints are placed within
Globally, these are set for a portlet or its portlet application using the administration interface or in the applications's jetspeed-portlet.xml. See Portal Components - Registry.
However, these global security constraints are not checked by default at render time for 'view', allowing 'view' if the user can see the portlet's containing page.
Security therefore relies on constraining access to folders and pages, controlling who can add portlets and where, and constraining access to portlet instances on a page individually by their containing fragments.
To enable render-time security constraint checking as an extra catch-all, see Portal Components - Registry.
Declarative Security Constraints are enabled by default in the Spring configuration of the Page Manager component. Here is the default Page Manager bean configuration from the page-manager.xml spring assembly configuration file:
<bean id="org.apache.jetspeed.page.PageManager" name="pageManager" class="org.apache.jetspeed.page.psml.CastorXmlPageManager"> <constructor-arg index="0"><ref bean="IdGenerator"/></constructor-arg> <constructor-arg index="1"><ref bean="DocumentHandlerFactory"/></constructor-arg> <constructor-arg index="2"><ref bean="FolderHandler"/></constructor-arg> <constructor-arg index="3"><ref bean="PageFileCache"/></constructor-arg> <!-- permissions security enabled flag, default=false --> <constructor-arg index="4"><value>false</value></constructor-arg> <!-- constraints security enabled flag, default=true --> <constructor-arg index="5"><value>true</value></constructor-arg> </bean>
Here the 6th, (index="5"), boolean constructor argument specifies whether or not the "constraints security" model is enabled. If the Declarative Security Constraints are not enabled, all inline, referenced, and global security constraints will be ignored.