What is the best way to disable anonymous access in Red Hat JBoss Portal
Environment
- JBoss Enterprise Portal Platform (EPP)
- 5.x
- Red Hat JBoss Portal (JPP)
- 6.x
Issue
- What is the best way to disable anonymous access in EPP 5?
- I want all requests to /portal/public to be redirected to /portal/private, so that everyone needs to authenticate before accessing portal.
- The default homepage should only be accessible by authenticated users. How can this be achieved?
Resolution
JBoss Enterprise Portal Platform 5.x
If you want to disable anonymous access, the best way is to modify the index.jsp file located under gatein.ear/02portal.war/.
You just change
response.sendRedirect(request.getContextPath() + "/public/"+userPortalConfigService.getDefaultPortal()+"/");
to
response.sendRedirect(request.getContextPath() + "/private/"+userPortalConfigService.getDefaultPortal()+"/");
This will change the first redirect to target the /private context, which is protected by the security constraint configured in gatein.ear/02portal.war/WEB-INF/web.xml. However, there is still the chance that users could navigate to the /public pages by entering the full URL.
To prevent this from happening, the /public context needs to be secured as well by adding the following to gatein.ear/02portal.war/WEB-INF/web.xml:
<!-- copy the /private/* security-constraints and define it
for the /public/* context as well, to prevent anonymous
access to EPP -->
<security-constraint>
<web-resource-collection>
<web-resource-name>user authentication</web-resource-name>
<url-pattern>/public/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>users</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
Red Hat JBoss Portal 6.x
- On a fresh installation, log in as root
- Go to 'Site -> Manage sites'
- Click the 'Edit Portal's config' link for the classic portal
- Open the 'Permission Settings' tab
- Uncheck the 'Make it public' checkbox
- Add permission, eg: *:/platform/users
Root Cause
EPP 5 provides the flexibility of allowing both logged in and anonymous users to access the portal by using /private and /public context respectively. The idea is, for those resources with permission "Everyone" the anonymous users can access with the context /public. For any resources with permission requiring specific role only the logged in users can access with the context /private.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments