Authorization on portlets
220 views
Skip to first unread message
Yannick Ongena
Jan 20, 2011, 4:20:24 AM1/20/11
to webcen...@googlegroups.com
All,
I would like to discuss how we can build authorization in portlets using the ADF Portlet bridge by using the ADF security model of a WebCenter portal.
In the portlet.xml we have the possibility to add role mapping. This way you can pass application roles to your portlet. However, these roles need to be J2EE roles.
The ADF security model is not based upon J2EE roles so we need to find another way to authorize users in the portlet.
It would be ideal that we could use the features of the portlet standard and just map the roles from a WebCenter application in the portlets however this is not possible.
There are some options that I thought about to solve this issue:
We could create our own security model by storing the users/roles in a database. We could add a SQLAuthenticator to the WebLogic instance so the users and roles are available in our WebCenter application.
In our portlet we do get the name of the user who is authenticated to the portal application so based upon that, we can query the database and request the needed information.
All the users and roles are stored in the WebLogic server. This is also available as an LDAP so we could create a class that queries an LDAP. This is a more generic solution because when the identity store changes, we only need to set some properties in the LDAP class.
Are there people who already have build a technique to authorize users in a portlet? If so, how did you do it and what are your findings on the used technique?
Regards
Yannick
Yannick Ongena
Jan 26, 2011, 7:50:31 AM1/26/11
to webcen...@googlegroups.com
Nobody has to use authorization in portlets?
--
You received this message because you are subscribed to the WebCenter Enterprise Methodology Group (http://groups.google.com/group/webcenter-emg). To unsubscribe send email to webcenter-em...@googlegroups.com
All content to the WebCenter EMG lies under the Creative Commons Attribution 3.0 Unported License (http://creativecommons.org/licenses/by/3.0/). Any content sourced must be attributed back to the WebCenter EMG with a link to the Google Group (http://groups.google.com/group/webcenter-emg).
Chris Broadbent
Jan 26, 2011, 10:58:01 AM1/26/11
to webcen...@googlegroups.com, Yannick Ongena, Paul Spencer
Yannick,
What you are trying to do is possible...and you don't need to write any code to do it...you just need to map your JEE roles to enterprise roles in WLS by adding <security-role-assignment> entries to weblogic.xml
In the following snippet, "director" is a JEE role defined in web.xml & the principals "test" and "administrator" are enterprise roles defined in OPSS
Note: in WSRP, only the markup is secured. The list of portlets offered by a producer is not. If you want to control the visibility of portlets in a resource catalog, you can do so by implementing a PortletSecurityHelper. PortletSecurityHelper was introduced in 11g PS3 & is documented in the public javadoc.
Chris
What you are trying to do is possible...and you don't need to write any code to do it...you just need to map your JEE roles to enterprise roles in WLS by adding <security-role-assignment> entries to weblogic.xml
In the following snippet, "director" is a JEE role defined in web.xml & the principals "test" and "administrator" are enterprise roles defined in OPSS
<?xml version='1.0' encoding='UTF-8'?>Once you have set up the mapping from JEE role -> enterprise role you can manage grants to the enterprise roles using ADF security.
<weblogic-web-app xmlns="http://www.bea.com/ns/weblogic/90" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<security-role-assignment>
<role-name>director</role-name>
<principal-name>test</principal-name>
<principal-name>administrators</principal-name>
</security-role-assignment>
</weblogic-web-app>
Note: in WSRP, only the markup is secured. The list of portlets offered by a producer is not. If you want to control the visibility of portlets in a resource catalog, you can do so by implementing a PortletSecurityHelper. PortletSecurityHelper was introduced in 11g PS3 & is documented in the public javadoc.
Chris
--
Chris Broadbent| Consulting Member of Technical Staff | 540 687 6216
Oracle Server Technologies
1900 Oracle Way, Reston VA 20190
Chris Broadbent| Consulting Member of Technical Staff | 540 687 6216
Oracle Server Technologies
1900 Oracle Way, Reston VA 20190
Maiko Rocha
Jan 26, 2011, 11:36:42 AM1/26/11
to webcen...@googlegroups.com
Hi Yannick,
I'm not a security expert, specially regarding portlets - which I personally don't like, specially in a world with Web Services and Task Flows, but that's a different and controversial topic :-). Aaanywaaay, have you seen this article from Andre Correa, a coleague of mine? Do you think it is of good help for you case or am I just too lost?
Maiko
Yannick Ongena
Jan 26, 2011, 4:01:23 PM1/26/11
to webcen...@googlegroups.com
Chris,
This looks promising! I will do some testing and come back with the result.
Regards
Yannick
Chris Broadbent
Jan 26, 2011, 4:20:11 PM1/26/11
to webcen...@googlegroups.com, Yannick Ongena
Yannick - I just realized that one thing I said below is incorrect:
Once you have set up the mapping from JEE role -> enterprise role you can manage grants to the enterprise roles using ADF security
The portlet security is based purely on group membership,
not grants.
- portlet client (consumer) determines the list of JEE roles for the the current user based on enterprise group membership
- portlet client (consumer) converts the list of JEE roles to portlet "user categories" using the mapping defined in the portlet registration wizard
- portlet client (consumer) passes the list of "user categories" to the portlet server (producer)
- portlet server (producer) uses the list of user categories to
determine
- whether the user can view a portlet
- what content should render in the portlet
Reply all
Reply to author
Forward
0 new messages