Now let us see how to secure a new portlet that uses only standard configurations.
This is the structure of a simple project working with portlets:
The web.xml file contains only an empty web-app tag to allow the deployment of the application.
Here is the welcome.jsp:
<%@ taglib uri="http://java.sun.com/portlet_2_0" prefix="portlet"%>
<portlet:defineObjects />
<div class="portlet-section-header">
| <%=renderRequest.isUserInRole("users")%>
| <%=renderRequest.isUserInRole("administrators")%>
</div>Add the following roles in the portlet.xml file and deploy the application:
<security-role-ref> <role-name>administrators</role-name> <role-link>administrators</role-link> </security-role-ref> <security-role-ref> <role-name>users</role-name> <role-link>users</role-link> </security-role-ref>
If we add the new portlet in a page when we login as a root user, the portlet will show the following result:
What does it mean? It means that the developer is now ready to work with the permissions. The role names configured in the portlet, administrators, and users are mapped automatically in GateIn as the roles: /platform/administrators and /platform/users. The same thing can be done for any group name; the important thing is that the group exists inside the /platform folder in any level.
If we don't want to use the /platform folder for our groups, we can use the root folder (/) and add as first node the group of interest. For example, for the group /organization/management/executive-board, you need to use the role organization in your portlet.
If we don't want to use this, either, we need to extend the Role Extractor Component. This component is used to extract the roles of the portal to use for Java standard operations, for example, JAAS authorization. Here the extension is to add in a configuration.xml file (for example the idm-configuration.xml):
<component>
<key>
org.exoplatform.services.security.RolesExtractor
</key>
<type>
org.exoplatform.services.security.impl.DefaultRolesExtractorImpl
</type>
<init-params>
<value-param>
<name>user.role.parent.group</name>
<description>authentication service use this value to authenticate</description>
<value>platform</value>
</value-param>
</init-params>
</component>Put the desired value instead of platform.
However, remember that the platform folder contains the administrators, guests, and common users, so before you do it, it is mandatory to create new groups and users associations with the new group folder. Make sure that you do this!
When we deploy the portlet, it is configured as public in the Application Registry:
If we don't want a public portlet, we can simply unflag the public option and configure the permissions through the web console.