Security overview for Script Portlet V 1.3

The default security configuration of the Script Portlet places limits on which Portal users are able to access the editor and import features. These limits can be customized with the administration pages of your server.

By default, the Script Portlet imposes security constraints on several features that only authorized and trusted users are allowed to access. These features include the ability to define and edit new Script Portlet instances and the ability to import content that is used to construct those instances. Configure the security of these features properly to protect your server from malicious users.

Extra constraints are placed upon the upload feature that limit the size and content of uploaded archives. In the current release of the Script Portlet, these constraints cannot be changed by a customer. They are set by default at levels that easily accommodate most use cases.

The default settings for the Script Portlet might not be appropriate for all customers and all environments. You can change the permissions on the Script Portlet Library, its templates, and the Script Portlet Applications site area where you can push script-based applications for use as Script Portlets. Review the permissions and security settings by using the Portal administration tools, the Web Content Authoring tool, and the following documented WebSphere® Portal and Web Content Manager security practices. These tools and documents help you ensure that the permissions are set for the users and roles in your environment.

When you review and set security permissions, remember that the Script Portlet Library contains different types of artifacts. The Script Portlet Applications site area is where Script Portlet developers push applications to, unless you create a custom site area for that use. Those site areas must be protected so that only developers can modify the content items and so that users who run Script Portlet applications can access them only as readers. The other contents of the Script Portlet Library include templates, which need to be accessed, but not modified, by users of Script Portlet applications. The Script Portlet Library also includes Script Portlet configuration that must be modifiable by administrators for the configuration of the Script Portlet environment for that portal or virtual portal.

You can use Script Portlet across virtual portals where different users or groups of users must be allowed to modify Script Portlet artifacts in their own virtual portal. Verify that you have appropriate permissions set on the Script Portlet library and its contents, along with any custom site areas, in each of those virtual portals.

Editor and reviewer Access to the Script Portlet Library and Site Area
For a user or group of users that are not members of the wpsadmins group, who you wish to allow access to edit Script Portlets and Script Portlet Configuration, you can grant editor and reviewer access to those users for the Script Portlet Library and Script Portlet Applications site area. Users who push Script Portlets must have these access roles.
J2EE and security constraints
The Script Portlet Authors and Script Portlet Users roles define access to Script Portlet features.
Imported archive security
There are constraints on the size and content of uploaded archives to add a layer of security when you import archives.
Customizing security constraints
You can relax or strengthen the access controls on the editor and import features. If you have a non-standard portal security configuration, you must manually map the Script Portlet Authors and Script Portlet Users roles to the appropriate Portal groups in their environment.
Overriding import and export properties in Script Portlet V 1.3
You can override the properties that the Script Portlet uses when it imports or export an application to change the parameters of the import or export. You can change parameters such as the file types and sizes that can be uploaded and the number of files that are allowed in a compressed file.

Parent topic: IBM Script Portlet V 1.3 for IBM WebSphere Portal