Custom JACC Example for JBoss Portal 2.2

This wiki contains a sample PortalJaccPolicy class that demonstrates how you can override

the standard portal security implementation with authorization checks of your own. This wiki assumes you've already read: http://docs.jboss.com/jbportal/v2.2/reference-guide/en/html/security.html and you want to actually override the "implies" method in the PortalJaccPolicy class.

Brief JBoss Portal 2.2 Security Summary

By default, authentication actually occurs in org.jboss.portal.core.security.jaas.ModelLoginModule. This JAAS extension class authenticates the user.

Portal authorization starts with a copy of the app server's default JACC implementation class that's re-packaged in the jboss-portal.sar, org.jboss.portal.security.impl.jacc.PortalJaccPolicy, and it doesn't do any authorization. These 3 external permission type classes are actually JACC extensions that handle the authorization for access to various portal framework objects:

• org.jboss.portal.core.security.PortalObjectPermission,

• org.jboss.portal.core.security.InstancePermission,

• org.jboss.portal.core.security.ComponentPermission

Each class handles the appropriate permission association at the appropriate portal object level. So, the PortalObjectPermission class handles authorization of portal objects, InstancePermission handles portlet instances, etc...

Custom PortalJaccPolicy Sample

Attached is a zip file that contains a PortalJaccPolicy.java file and build scripts that'll deploy the custom portal JACC implementation to a JBoss Portal 2.2 server. Key features include:

• Overrides the implies() method and calls a silentAuthorization() method

• silentAuthorization() method checks a properties file for portal object definitions for an "Adminstrator" role. This is a bit hard-coded, but the intention is to demonstrate  that this JACC override will actually work.

• Properties file key=role

• Properties file value=comma separated list of portlets and portal pages user has access to

• You can delete entries from the properties file and see the portal tabs dissapear.

• Also, you can create a new portal page

• Add a portlet window and portlet instance to that portal page

• Change the permissions so that all cannot "VIEW"

• Add the portal objects to the properties file portal object value list

• Hit the portal page and see that you now have access

What Now???

Keep an eye on this forum because any changes/enhancements to the current JACC implementation are likely to be hashed out here: http://jboss.com/index.html?module=bb&op=viewtopic&t=73586&start=0&postdays=postDays&postorder=postOrder&highlight=highlight.