Bug 793844 (JBEPP-918)

Summary: Secured content not available through CMSPreviewServlet if LDAP is used
Product: [JBoss] JBoss Enterprise Portal Platform 4 Reporter: Martin Weiler <mweiler>
Component: PortalAssignee: Thomas Heute <theute>
Status: CLOSED NEXTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: 4.3.0.GA_CP6CC: epp-bugs
Target Milestone: ---   
Target Release: 4.3.0.GA_CP7   
Hardware: Unspecified   
OS: Unspecified   
URL: http://jira.jboss.org/jira/browse/JBEPP-918
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
EPP 4.3_CP06 configured with LDAP
Last Closed: 2011-09-08 09:13:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
JBEPP-918.patch none

Description Martin Weiler 2011-05-05 11:20:26 UTC 
Help Desk Ticket Reference: https://na7.salesforce.com/500A0000007Agau
project_key: JBEPP

The following test for the CMSPreviewServlet uses the following URL: 

http://localhost:8080/portal-cms/cmspreview?v=1.0&l=en&p=/default/images/epp4.3.gif. 

1) Without login, access the URL directly, working. 
2) Login as the super user, navigate to the content, and click version 1.0 to view the content, working. 
3) Login as another user "devadmin", navigate to the content, and click version 1.0 to view the content, NOT working. 
4) Assign read permission to the "CustomAdminRole" role on epp4.3.gif ("devadmin" user belongs to this role), and then try to preview again, NOT working. 
5) Assign read permission to the "devadmin" user directly on epp4.3.gif file, and then try to preview again, working. 

The problem is that when the call is coming from the CMSPreviewServlet, the following call in org.jboss.portal.cms.security.AuthorizationProviderImpl#getCurrentRoles() returns null:

Subject subject = (Subject)PolicyContext.getContext("javax.security.auth.Subject.container");

This is the JIRA that caused the change: https://issues.jboss.org/browse/JBPORTAL-1990
and this is the corresponding changeset: http://fisheye.jboss.org/changelog/Portal/?cs=10633

In order to fix this problem, I'd suggest having a fall back mechanism in place that uses the membershipModule.
Comment 1 Martin Weiler 2011-05-05 11:45:07 UTC 
Attaching a patch proposal.
Comment 2 Martin Weiler 2011-05-05 11:45:07 UTC 
Attachment: Added: JBEPP-918.patch
Comment 3 Scott Mumford 2011-07-12 05:59:37 UTC 
Release Notes Docs Status: Added: Not Yet Documented
Comment 4 Jared MORGAN 2012-01-23 04:06:21 UTC 
Release Notes Docs Status: Removed: Not Yet Documented Added: Documented as Resolved Issue
Release Notes Text: Added: A bug in the org.jboss.portal.cms.security.AuthorizationProviderImpl#getCurrentRoles() call was incorrectly returning null. Users authenticated using LDAP were not seeing content that should have been available to them through the CMSPreviewServlet. The fix implements a fallback mechanism that uses the membershipModule to correctly authenticate users.