About ALI Portlet Security
Portlets can be used to manipulate secure content. AquaLogic
Interaction provides a variety of ways to control access to specific
functionality.
Portal Roles (settings rights) control whether or not
a user has the right to change settings in the portal database. Administrative
settings can only be changed by a portal administrator. Community
settings can only be changed by a community Owner. To check which
types of settings the current user has rights to change,
use the IDK methods IPortletUser.GetSettingsRights and IPortletUser.HasSettingsRight. For details
on portal roles, see the Administrator Guide for AquaLogic Interaction or the portal online help.
Activity Rights confer system-wide privileges in the
portal, such as the right to create new portal objects, including
portlets, communities and folders. While ACLs control access to a
specific object, activity rights confer a general, global privilege.
You can create new activity rights to correspond to user privileges.
Note: Activity rights apply to groups, and cannot be assigned
directly to users. If a group is given an activity right, every member
of the group inherits that activity right. Users' rights in the portal
are the sum of the activity rights of all of the groups to which they
belong.
To access the current user's activity rights,
configure the portal to send activity rights to the portlet on the
Advanced Settings page of the Web Service Editor, and use the IDK
methods IPortletUser.GetActivityRights and IPortletUser.HasActivityRight.
Access Control Lists (ACL) govern which users can see
each object in the portal and what they can do with it. An ACL is
different from activity rights because it applies to a specific object.
For details, see Access Control List (ACL) Privileges.
ACLs can
be used to control access to content or functionality in community
portlets. To determine the CommunityAccessLevel (in the Community
ACL) for the current user in the current community, configure the
portal to send the community ACL to the portlet on the Advanced Settings
page of the Web Service Editor, and use the IDK method IPortletUser.GetCurrentCommunityAccessLevel. (This method can be used only if the portlet is on a community
page.)
Encrypted credentials should be used for all authentication
credentials used by a portlet. The IDK provides encryption methods
for use in portlets. For details, see
Using IDK Encryption. Portlets can use four types of encryption:
- Advanced Encryption Standard (AES) is private key encryption
using 128-bit keys.
- RC2 is private key encryption using 64-bit keys.
- Base64 converts binary data into ASCII text and vice versa.
Base64 does not require a key for decryption. Base64 is used by the
credential vault if no RSA key is provided.
- RSA is a public key/private key encryption type. In ALI
6.0 and above, the credential vault provides a central repository
that securely stores and manages all credentials. Portlets that need
credentials to access back-end applications can securely retrieve
the appropriate user credentials from a central location. To use RSA
encryption with IDK methods, you must use the credential vault. For
details, see Using the ALI Credential Vault.
All portlets should obey
SSL rules because ALI can be
configured to run under SSL. When you are testing against SSL (https://),
make sure all images come through and do not pop up an "Unsecure items"
dialog. Any portlet that uses a password that is not encrypted should
follow the rules below:
- Do not store any passwords in the database in clear text.
- Do not expose passwords on every request. Only send the password
when it is required (usually in the finalize method).
- Using the ALI Credential VaultThe credential vault (ALI 6.0 and above) provides a central repository that securely stores and manages all credentials. Portlets that need login information to access a back-end application can securely retrieve the appropriate user credentials from a central location. Users enter their credentials once in their account settings and have seamless access to every application they interact with throughout the portal session.
- Using IDK EncryptionThe IDK provides standard methods for encrypting and decrypting credentials stored in the ALI database.