About Oracle WebCenter Interaction Portlet Security
Portlets can be used to manipulate secure content. Oracle
WebCenter Interaction provides a variety of ways to control access
to specific functionality.
Portal Roles (settings rights) control whether or not
a user has the right to change settings in the portal database. Administrative
settings can only be changed by a portal administrator. Community
settings can only be changed by a community Owner. To check which
types of settings the current user has rights to change, use the Oracle
WebCenter Interaction Development Kit (IDK) methods IPortletUser.GetSettingsRights and IPortletUser.HasSettingsRight. For details
on portal roles, see the Administrator Guide for Oracle WebCenter
Interaction or the portal online help.
Activity Rights confer system-wide privileges in the
portal, such as the right to create new portal objects, including
portlets, communities and folders. While ACLs control access to a
specific object, activity rights confer a general, global privilege.
You can create new activity rights to correspond to user privileges.
Note: Activity rights apply to groups, and cannot be assigned
directly to users. If a group is given an activity right, every member
of the group inherits that activity right. Users' rights in the portal
are the sum of the activity rights of all of the groups to which they
belong.
To access the current user's activity rights,
configure the portal to send activity rights to the portlet on the
Advanced Settings page of the Web Service Editor, and use the Oracle
WebCenter Interaction Development Kit (IDK) methods IPortletUser.GetActivityRights and IPortletUser.HasActivityRight.
Access Control Lists (ACL) govern which users can see
each object in the portal and what they can do with it. An ACL is
different from activity rights because it applies to a specific object.
For details, see Access Control List (ACL) Privileges.
ACLs can
be used to control access to content or functionality in community
portlets. To determine the CommunityAccessLevel (in the Community
ACL) for the current user in the current community, configure the
portal to send the community ACL to the portlet on the Advanced Settings
page of the Web Service Editor, and use the Oracle WebCenter Interaction
Development Kit (IDK) method IPortletUser.GetCurrentCommunityAccessLevel. (This method can be used only if the portlet is on a community
page.)
Encrypted credentials should be used for all authentication
credentials used by a portlet. The Oracle WebCenter Interaction Development
Kit (IDK) provides encryption methods for use in portlets. For details,
see
Using Oracle WebCenter Interaction Development Kit (IDK) Encryption. Portlets can use four types of encryption:
- Advanced Encryption Standard (AES) is private key encryption
using 128-bit keys.
- RC2 is private key encryption using 64-bit keys.
- Base64 converts binary data into ASCII text and vice versa.
Base64 does not require a key for decryption. Base64 is used by the
credential vault if no RSA key is provided.
- RSA is a public key/private key encryption type. The credential
vault provides a central repository that securely stores and manages
all credentials. Portlets that need credentials to access back-end
applications can securely retrieve the appropriate user credentials
from a central location. To use RSA encryption with IDK methods, you
must use the credential vault. For details, see Using the Oracle WebCenter Interaction Credential Vault.
All portlets should obey
SSL rules because Oracle WebCenter
Interaction can be configured to run under SSL. When you are testing
against SSL (https://), make sure all images come through and do not
pop up an "Unsecure items" dialog. Any portlet that uses a password
that is not encrypted should follow the rules below:
- Do not store any passwords in the database in clear text.
- Do not expose passwords on every request. Only send the password
when it is required (usually in the finalize method).
- Using the Oracle WebCenter Interaction Credential VaultThe Oracle WebCenter Interaction credential vault provides a central repository that securely stores and manages all credentials. Portlets that need login information to access a back-end application can securely retrieve the appropriate user credentials from a central location. Users enter their credentials once in their account settings and have seamless access to every application they interact with throughout the portal session.
- Using Oracle WebCenter Interaction Development Kit (IDK) EncryptionThe Oracle WebCenter Interaction Development Kit (IDK) provides standard methods for encrypting and decrypting credentials stored in the portal database.