Portlets can be used to manipulate secure content. Oracle WebCenter Interaction provides a variety of ways to control access to specific functionality.

• Portal Roles (settings rights) control whether or not a user has the right to change settings in the portal database. Administrative settings can only be changed by a portal administrator. Community settings can only be changed by a community Owner. To check which types of settings the current user has rights to change, use the Oracle WebCenter Interaction Development Kit (IDK) methods IPortletUser.GetSettingsRights and IPortletUser.HasSettingsRight. For details on portal roles, see the Administrator Guide for Oracle WebCenter Interaction or the portal online help.

• Activity Rights confer system-wide privileges in the portal, such as the right to create new portal objects, including portlets, communities and folders. While ACLs control access to a specific object, activity rights confer a general, global privilege. You can create new activity rights to correspond to user privileges.

  Note: Activity rights apply to groups, and cannot be assigned directly to users. If a group is given an activity right, every member of the group inherits that activity right. Users' rights in the portal are the sum of the activity rights of all of the groups to which they belong.

  To access the current user's activity rights, configure the portal to send activity rights to the portlet on the Advanced Settings page of the Web Service Editor, and use the Oracle WebCenter Interaction Development Kit (IDK) methods IPortletUser.GetActivityRights and IPortletUser.HasActivityRight.

• Access Control Lists (ACL) govern which users can see each object in the portal and what they can do with it. An ACL is different from activity rights because it applies to a specific object. For details, see Access Control List (ACL) Privileges.

  ACLs can be used to control access to content or functionality in community portlets. To determine the CommunityAccessLevel (in the Community ACL) for the current user in the current community, configure the portal to send the community ACL to the portlet on the Advanced Settings page of the Web Service Editor, and use the Oracle WebCenter Interaction Development Kit (IDK) method IPortletUser.GetCurrentCommunityAccessLevel. (This method can be used only if the portlet is on a community page.)

• Encrypted credentials should be used for all authentication credentials used by a portlet. The Oracle WebCenter Interaction Development Kit (IDK) provides encryption methods for use in portlets. For details, see Using Oracle WebCenter Interaction Development Kit (IDK) Encryption. Portlets can use four types of encryption:
  

  • Advanced Encryption Standard (AES) is private key encryption using 128-bit keys.
  • RC2 is private key encryption using 64-bit keys.
  • Base64 converts binary data into ASCII text and vice versa. Base64 does not require a key for decryption. Base64 is used by the credential vault if no RSA key is provided.
  • RSA is a public key/private key encryption type. The credential vault provides a central repository that securely stores and manages all credentials. Portlets that need credentials to access back-end applications can securely retrieve the appropriate user credentials from a central location. To use RSA encryption with IDK methods, you must use the credential vault. For details, see Using the Oracle WebCenter Interaction Credential Vault.
• All portlets should obey SSL rules because Oracle WebCenter Interaction can be configured to run under SSL. When you are testing against SSL (https://), make sure all images come through and do not pop up an "Unsecure items" dialog. Any portlet that uses a password that is not encrypted should follow the rules below:
  

  • Do not store any passwords in the database in clear text.
  • Do not expose passwords on every request. Only send the password when it is required (usually in the finalize method).