Return to Jive Software

Skip navigation
Up to Discussions in Developers
980 Views 3 Replies Last post: Oct 19, 2009 7:20 AM by todd.west RSS
edovale Novice
edovale
226 posts since
Mar 29, 2009
Currently Being Moderated

Oct 19, 2009 6:18 AM

Securing the people page.

We are trying to restrict access to all profile and people pages to not allow unathenticated users to see them.

The profile pages we were able to secure by overriding the struts action with our own and adding the @requiresAuthorization annotation to the new classes (btw, isn't there a declarative way of doing this other than having to extend a class just to add this annotation?)

For the people page though, it is not clear to me what action needs to be overriden. The url to this page is http://<clearspace.url>/people which doesn't have the .jspa extension on it. Does anyone know how to secure this page?

Thanks.

Tags: clearspace, customization, developers, authentication, actions, back_end, 2.5.7
ajohnson1200 Jive Employee
ajohnson1200
1,229 posts since
Jan 7, 2004
Currently Being Moderated
Oct 18, 2009 10:13 PM in response to: edovale
Re: Securing the people page.

One thing that might be easier / less intrusive would be to write a custom Acegi filter (details here: http://www.jivesoftware.com/builds/docs/jive_sbs_employee/latest/developer/ExampleAuthenticationandAuthorization.html) that maps to /people and have the implementation of the filter check (and reject) anonymous users.

 

Long term we're definitely looking to enable this through configuration rather than customization.

 

Cheers,

 

AJ

edovale Novice
edovale
226 posts since
Mar 29, 2009
Currently Being Moderated
Oct 19, 2009 6:19 AM in response to: Aaron Johnson
Re: Securing the people page.

Hi Aaron,

Thanks for your reply. Unfortunately we can not go down the filter path because we are using an SSO plugin (which we do not own) that's already overwriting the spring filter chain definition.

Can you tell what class do I have to override to get the /people url secured??

 

Thanks.

 

Erick.

todd.west Jive Employee
todd.west
15,926 posts since
Jul 14, 2008
Currently Being Moderated
Oct 19, 2009 7:20 AM in response to: edovale
Re: Securing the people page.

Hi Erick,

 

A little more hack-ish way to do this (and not nearly as clean as an acegi filter) would be to modify the templates that display the people page and profile pages to first check if the user is authenticated or not. Here is a public case explaining how to customize the people page specifically:

 

http://www.jivesoftware.com/jivespace/message/106447#106447

 

Basically, you'll need to wrap the people.ftl template around this code if you want to hide it for guests:

 

<#if !(authentication.anonymous)>
PLACE CODE HERE
<#else>
DO SOMETHING ELSE
</#if>

 

 

If you are a little more adventurous you could attempt to modify the filter chain dynamically from your plugins init() method (I believe someone internally has done this before). Hope that helps. Thanks.

 

-Todd

More Like This

  • Retrieving data ...

Bookmarked By (0)

To better serve our customers we have included functionality to automatically follow up on a case after it has been idle for more than 5 days, and then auto close after an additional 3 days of inactivity. Choose No to acknowledge that this case will remain idle for longer than 5 days.
Making cases public allows other customers to learn from the solution of the case. It can also be used to gain feedback from others in the community. Ask our Support Engineers for more info, but we encourage you to make your cases public.