Solution - Authenticated users have view access to Admin.jspx in webcenter portal. When any logged in user access http://<host>:<port>/<ContextPath>/admin it would take them to admin screen, by default authenticated users do not have any permission to perform actions in administration screen but still its not a good practice for everyone to see admin pages.
A very simple and easy way to protect it is to disable permissions for Admin page in jazn-data.xml.
Step 1 - Go to Application Descriptors > jazn-data-xml > Resource Grants > Web Page permission > Select check box - Show web page from ADF libraries.
Step 2 - Admin page is shown in the list, choose it to see the permissions given . By default authenticated users have view access , SO delete default permissions and grant all permissions to Administrators.
Step 3 - Run the application, log in as Authenticated user and try to access /admin, You will see HTTP- 401 unauthorized page :-)
So Now /admin is protected :-)
No comments:
Post a Comment