Security Guide

     Previous  Next    Open TOC in new window    View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

Preventing Direct Access to Portal Application Resources

You can control visitor access to portal resources using visitor entitlements in the WebLogic Portal Administration Console. However, you must also use deployment descriptors to secure the JSPs and page flows contained in a portlet; otherwise a malicious user can access those resources directly if they know the correct URL.

This chapter contains the following section:

 

Securing Resources Using Deployment Descriptors

You must use J2EE security to prevent direct access to JSPs and page flows; otherwise, a user can access those resources directly by entering the correct URL.

Note: Descriptor security is only intended to prevent direct access to the JSP or page flow using a URL; it is not used when a portal renders a portlet.

Scoped roles are defined in their respective deployment descriptors.

An example URL to a JSP is: 

http://emp_app/employmentPortal/portlets/hr/vpSalaries.jsp

To prevent direct access to portlets, add a security entry in your portal web project’s /WEB-INF/web.xml file. Listing 4-1 shows an example web.xml file.

Listing 4-1 Using Declarative Security to Block Direct Access to Portlets 
!-- Use declarative security to block direct address to portlets -->
<security-constraint>
   <display-name>Default Portlet Security Constraints</display-name>
      <web-resource-collection>
      <web-resource-name>Portlet Directory</web-resource-name>
      <url-pattern>/portlets/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
   </web-resource-collection>
<auth-constraint>
   <role-name>Admin</role-name>
</auth-constraint>
<user-data-constraint>
   <transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>

This security entry in the web.xml file protects all files in the portal web project's /portlet directory and its subdirectories from being directly accessed using a request URL.

WARNING: A <url-pattern> of /portlets/*.jsp is not legal syntax and does not protect subdirectories.

These protected resources are still displayed in entitled portlets, but only for users entitled to access those portlets.

Resources such as images, which do not require security restrictions, must be stored in unsecured directories outside the /portlets directory.

Note: Certain URL or EJB resources can be secured using the WebLogic Server Administration Console. Before using this technique, you must copy security configurations from existing deployment descriptors during the initial deployment of URL or EJB resources, or reinitialize the security configuration for URL or EJB resources to their original state. For more information see Import Security Data from Deployment Descriptors.

  Back to Top       Previous  Next