16.2. Securing the Content Management System

The JBoss Portal CMS system consists of a directory structure of Files organized unto their respective Folders. Both Files and Folders are considered to be CMS resources that can be secured based on portal Roles and/or Users.
The following features are supported by the fine grained security system of Portal CMS:
  • You can associate "Read", "Write", and "Manage" Permissions at the CMS node level. (Both Files and Folders are treated as CMS nodes)
  • The Permissions are propagated recursively down a folder hierarchy
  • Any Permissions specified explicitly on the CMS Node overrides the policy inherited via recursive propagation
  • You can manage the Permissions using the CMS Admin GUI tool via the newly added "Secure Node" feature

Table 16.1.  Portal CMS Permission Matrix:

Permissions Allowed Actions Implies
Read Read Contents of Folder, File and its versions N/A
Write Create and Update new Folder and File Read Access
Manage Delete/Copy/Move/Rename Folders and Files Read and Write Access

16.2.1. CMS Security Configuration

The configuration for the CMS Security service is specified in the jboss-portal.sar/portal-cms.sar/META-INF/jboss-service.xml file. The portion of the configuration relevant for securing the CMS service is listed as follows:
              
               <!-- CMS Authorization Security Service -->
               <mbean
                  code="org.jboss.portal.cms.security.AuthorizationManagerImpl"
                  name="portal:service=AuthorizationManager,type=cms"
                  xmbean-dd=""
                  xmbean-code="org.jboss.portal.jems.as.system.JBossServiceModelMBean">
                  <xmbean/>
                  <attribute name="JNDIName">java:portal/cms/AuthorizationManager</attribute>  
                  <depends optional-attribute-name="Provider" proxy-type="attribute">
                    portal:service=AuthorizationProvider,type=cms
                  </depends>         
               </mbean>   
               <mbean
                  code="org.jboss.portal.cms.security.AuthorizationProviderImpl"
                  name="portal:service=AuthorizationProvider,type=cms"
                  xmbean-dd=""
                  xmbean-code="org.jboss.portal.jems.as.system.JBossServiceModelMBean">
                  <xmbean/> 
                  <!--
                    NOTE: cmsRootUserName denotes a single Portal user that has access to everything in the CMS. Denote this user
                carefully and should be synonymous to the 'root' user in UNIX operating systems. By default: this value is the built-in
                    'admin' user account. This can be changed to any other user account registered in your Portal
                  -->
                  <attribute name="CmsRootUserName">admin</attribute>  
                  <depends optional-attribute-name="IdentityServiceController" proxy-type="attribute">portal:service=Module,type=IdentityServiceController</depends>     
               </mbean>         
               <!-- ACL Security Interceptor -->
               <mbean
                  code="org.jboss.portal.cms.impl.interceptors.ACLInterceptor"
                  name="portal:service=Interceptor,type=Cms,name=ACL"
                  xmbean-dd=""
                  xmbean-code="org.jboss.portal.jems.as.system.JBossServiceModelMBean">
                  <xmbean/>
                  <attribute name="JNDIName">java:/portal/cms/ACLInterceptor</attribute>
                  <attribute name="CmsSessionFactory">java:/portal/cms/CMSSessionFactory</attribute>
                  <attribute name="IdentitySessionFactory">java:/portal/IdentitySessionFactory</attribute>
                  <attribute name="DefaultPolicy">
                    <policy>
                            <!-- permissions on the root cms node -->               
                            <criteria name="path" value="/">
                                <permission name="cms" action="read">
                                    <role name="Anonymous"/>
                                </permission>
                                <permission name="cms" action="write">
                                    <role name="User"/>
                                </permission>
                                <permission name="cms" action="manage">
                                    <role name="Admin"/>
                                </permission>
                            </criteria>
                            <!-- permissions on the default cms node -->                
                            <criteria name="path" value="/default">
                                <permission name="cms" action="read">
                                    <role name="Anonymous"/>
                                </permission>
                                <permission name="cms" action="write">
                                    <role name="User"/>
                                </permission>
                                <permission name="cms" action="manage">
                                    <role name="Admin"/>
                                </permission>
                            </criteria>                 
                            <!-- permissions on the private/protected node -->
                            <criteria name="path" value="/default/private">
                                <permission name="cms" action="manage">
                                    <role name="Admin"/>
                                </permission>
                            </criteria>
                    </policy>
                  </attribute>
                  <depends optional-attribute-name="AuthorizationManager" proxy-type="attribute">
                    portal:service=AuthorizationManager,type=cms
                  </depends>            
                  <depends>portal:service=Hibernate,type=CMS</depends>
                  <depends>portal:service=Module,type=IdentityServiceController</depends>      
               </mbean>

16.2.1.1. CMS Super User

A CMS Super User is a designated Portal User Account that has access to all resources/functions in the CMS. It is a concept similar to the super user concept in a Linux and UNIX security systems. This account should be carefully used and properly protected. By default, JBoss Portal designates the built-in 'admin' user account as a CMS Super User. This can be changed by modifying the cmsRootUserName value in the jboss-portal.sar/portal-cms.sar/META-INF/jboss-service.xml configuration.
                             
                <mbean
                  code="org.jboss.portal.cms.security.AuthorizationProviderImpl"
                  name="portal:service=AuthorizationProvider,type=cms"
                  xmbean-dd=""
                  xmbean-code="org.jboss.portal.jems.as.system.JBossServiceModelMBean">
                  <xmbean/> 
                  <!--
                    NOTE: cmsRootUserName denotes a single Portal user that has access to everything in the CMS. Denote this user
                carefully and should be synonymous to the 'root' user in UNIX operating systems. By default: this value is the built-in
                    'admin' user account. This can be changed to any other user account registered in your Portal
                  -->
                  <attribute name="CmsRootUserName">admin</attribute>  
                  <depends optional-attribute-name="IdentityServiceController" proxy-type="attribute">portal:service=Module,type=IdentityServiceController</depends>     
               </mbean>         

16.2.1.2. CMS Security Console

The CMS Security Console is used to assign proper permissions to all the nodes/content in the CMS. Besides protection on CMS content, this console itself needs to be secured against unauthorized access. Currently, the console can be accessed only by Portal users that are members of the specified Role. By default, JBoss Portal uses the built-in Admin role to allow access to this security console. This can be customized by modifying the value of defaultAdminRole option specified in jboss-portal.sar/conf/identity/standardidentity-config.xml