WebLogic Server v8.1 Installation

Integrating WebLogic Enterprise Security with WebLogic Portal

This section covers the following topics:

Introduction

Integrating WebLogic Enterprise Security with WebLogic Portal server and portal application results in an enhanced set of security services for use in protecting WebLogic Portal (see Figure 5-1). WebLogic Enterprise Security participates in the authoring and management of policy for WebLogic Portal resources. Once WebLogic Enterprise Security is integrated with WebLogic Portal, you use WebLogic Enterprise Security Administration Application to manage resources related to portal desktops, books, pages, and portlets.

Therefore, the intent is that you use WebLogic Enterprise Security for authorization of the resources associated with a portal application as well as standard WebLogic Server J2EE resources. The benefit of using WebLogic Enterprise Security to manage visitor entitlements is that it offers fine-grained, dynamic role-based authorization. Additionally, WebLogic Enterprise Security allows you to have common security policies for a heterogeneous environment. For example, you may have a single security infrastructure that supports WebLogic Portal, WebLogic Server, and custom applications.

The WebLogic Enterprise Security security service does not replace all of the management functionality provided by the Portal Administration Tools. For example, as shown in Figure 5-1, WebLogic Enterprise Security is not used to manage administrative users and resources associated with Portal Delegated Administration and Portal Content Management; use the Portal Administration Tools for those management tasks.

Figure 5-1 Portal Integration Overview

Portal Integration Overview

WebLogic Enterprise Security enables you to write, deploy, and manage fine-grained policy for the authorization of WebLogic Portal application resources. You can use WebLogic Enterprise Security to protect portal desktops, books, pages, portlets, and application look and feels.

For more information, see the following topics:

Integration Features

WebLogic Enterprise Security can be used with either WebLogic Server 8.1 Service Pack 3 or Service Pack 4. While several different security providers can be used with WebLogic Portal, the following security providers include enhanced WebLogic portal support:

The ASI Authorization provider—Enables you to use WebLogic Enterprise Security to write, deploy, and manage fine-grained authorization of WebLogic Portal application resources related to desktops, books, pages, portlets, and application look and feels.
The Database Authentication provider—Enables user and group controls. This provider is integrated into the Portal Administration Tools environment so as to handle user and group queries.

Note: Use of the Database Authentication provider with WebLogic Portal is not mandatory. You may use other authentication providers as well.

ASI Role Mapper—Enables dynamic mapping of principals (users and groups) to security roles at runtime. Role Mapping determines which security roles to apply to the principals stored in a subject when the subject is attempting to perform an operation on a portal application resource. Because this operation usually involves gaining access to the portal application resource, the ASI Role Mapper is used in conjunction with the ASI Authorization provider.

Supported Use-case Scenario

The following use-case scenario is supported when you integrate WebLogic Enterprise Security with WebLogic Portal:

The WebLogic Enterprise Security Administration Application assumes responsibility for management and policy of resources related to Portal visitor entitlements.
The WebLogic Enterprise Security Administration Application is responsible for management of J2EE application resources associated with Portal applications and portal administration tools.
The Portal Administration Tools continue to be responsible for the rest of Portal Management and Administration, including the creation and management of portal administrative users and groups.

Note: To implement this use case scenario, you must define the security configuration as specified in Creating the Portal Application Security Configuration.

Constraints and Limitations

When integrated with WebLogic Enterprise Security, WebLogic Portal has the following constraints and limitations:

Portal application administrators will not use the WebLogic Portal Administration Tools to create and manage visitor entitlements.

Use of WebLogic Enterprise Security with a Portal application implies that an administrator will not use the Portal Administration Tools to create "Visitor Entitlements" on portal desktops, books, pages, and portlets. Managing visitor entitlements from the Portal Administration Tools is not a supported use case.

Users will not use application deployment descriptors to deploy policy.

Use of Deployment descriptors to deploy policy is not supported in WebLogic Enterprise Security.

Migration of existing portal application policy is not supported.

WebLogic Enterprise Security does not to support the migration of visitor entitlements policy for existing portal applications. There are no facilities for migrating any information from the WebLogic Server embedded LDAP store.

WebLogic Enterprise Security does not replace or in any way interfere with the use of the Portal Administration Tools for the management of resource structures associated with Portal Delegated Administration and Portal Content Management.

You cannot use WebLogic Enterprise Security to manage the resources associated with Portal Delegated Administration and Portal Content Management. WebLogic Enterprise Security does not support Portal Unified User Profiles.

Integration Pre-Requisites

Before you begin, you must ensure that the following pre-requisites are satisfied:

The WebLogic Platform/Portal 8.1, with Service Pack 3 or Service Pack 4, must be installed on the local machine.
The WebLogic Enterprise Security WebLogic Server v8.1 Security Service Module, Version 4.2, Service Pack 2 must be installed on the local machine.
You must have access to an Administration Console that is running on the WebLogic Enterprise Security Administration Application, Version 4.2, Service Pack 2 on either the local machine or a remote machine.
You have created a WebLogic Portal domain on the local machine and installed a portal application in that domain.

Integrating with WebLogic Portal

This section describes how to integrate WebLogic Enterprise Security with WebLogic Portal. Once integrated, you can use the WebLogic Enterprise Security Administration Console to write and deploy security policy to protect WebLogic Portal application resources.

Note: While the instructions provided is this section use a WebLogic Portal server and the sample portal application that ships with the WebLogic Platform 8.1 software distribution, you can use this procedure to integrate WebLogic Enterprise Security with your WebLogic Portal server and portal application.

To integrate WebLogic Enterprise Security with WebLogic Portal, perform the following tasks:

Creating the Portal Application Security Configuration

This section describes how to create a new security configuration named myrealm. A security configuration defines the set of security providers to use for adjudication, authentication, auditing, authorization, role mapping, and credential mapping services. The security configuration named myrealm matches the default security configuration for the WebLogic Portal sample portal application.

Note: To implement the use-case scenario described in Supported Use-case Scenario, you are required to defined the security configuration as described in this section. This security configuration is a requirement; it is not optional.

Refer to Table 5-1 and use the WebLogic Enterprise Security Administration Application to configure the security providers listed there. Set the Configuration ID to myrealm. For instructions on creating a security configuration, see Configuring a Security Service Module in the Administration Application Guide and the Console Help.

Table 5-1 Portal Security Configuration

Security Provider	Configuration Settings
ASI Adjudication Provider	Uncheck the Require Unanimous Permit check box, and click Create.
Log4j Auditor	Accept the default settings, and click Create.
Database Authentication Provider	Set the Control Flag to `SUFFICIENT,` and click Create. For the Details tab settings, except for the Identity Scope, the parameters are populated automatically. Set the Identity Scope to `myusers`, and click Apply. Note: Even though you set the Identity Scope to `myusers`, you do not actually create the `myusers` identity until you perform the steps in Creating the Realm Resource.
WebLogic Authentication Provider	Set the Control Flag to `SUFFICIENT`, and click Create. Note: Make sure the authentication providers are configured in the following order: 1) Database Authenticator and 2) WebLogic Authenticator. Note: The WebLogic Authentication provider can be replaced with another authentication provider that supports write access to users and groups.
ASI Authorization Provider	On the General tab, accept the default settings, and click Create. On the Details tab, set the Identity Scope to `myusers`, and click Apply.
WebLogic Authorization Provider	Uncheck the Policy Deployment Enabled check box, and click Create.
WebLogic Credential Mapper Provider	Uncheck the Credential Mapping Deployment Enabled check box, and click Create.
ASI Role Mapping Provider	On the General tab, accept the default settings, and click Create. On the Details tab, set the Identity Scope to `myusers`, and click Apply.
WebLogic Role Mapper Provider	Uncheck the Role Deployment Enabled check box, and click Create.

Binding the Security Configuration

The security configuration must be bound to a Service Control Manager.

To bind the myrealm security configuration, see Binding a Security Service Module to a Service Control Manager in the Administration Application Guide and the Console Help

Distributing the Security Configuration

The myrealm security configuration must be distributed.

To distribute the myrealm security configuration, see Distributing Configuration in the Administration Application Guide and the Console Help.

Creating an Instance of the Security Service Module

Before starting a WebLogic Server Security Service Module, you must first create an instance of the WebLogic Server 8.1 Security Service Module using the Create New Instance Wizard.

To create an instance of a WebLogic Server 8.1 Security Service Module, see Creating an Instance of the WebLogic 8.1 Security Service Module.

Enrolling the Instance of the Security Service Module

You must have the Administration Server running prior to enrolling the Security Service Module.

Note: While you can use the demonstration digital certificate in a development environment, you should never use it in a production environment.

To enroll a security service module, see Enrolling the Instance of the Security Service Module.

Modifying the Portal Server startWeblogic File

Before you can start a WebLogic Portal server that uses BEA WebLogic Enterprise Security, you must modify the startWeblogic file that is located in the WebLogic Portal domain that you are using for you WebLogic Portal server. These modifications are needed so that portal connects the WebLogic Portal domain to the distributed myrealm security configuration on startup.

The startWeblogic file for the WebLogic Portal domain named portalDomain is located at: BEA_HOME\user_projects\domains\portalDomain

To edit the startWeblogic file, perform the steps:

Note: This procedure assumes a Windows installation of WebLogic Portal in the directory c:\bea with an WebLogic Server 8.1 Security Service Module instance named portalInstance.

Before you modify the script, make sure to make a backup copy. For example, for Microsoft Windows, copy startWeblogic.cmd to startWeblogic.cmd.original.

Add a line to call the environment batch file set-wls-env.bat. For example, add it below the line: set SAVE_JAVA_OPTIONS=

call "c:\bea\wles42-ssm\wls-ssm\instance\portalInstance\bin\set-wls-env.bat"

Add the WebLogic Enterprise Security classpath variables to the classpath. For example, add the following text before the line: echo CLASSPATH=%CLASSPATH%

set CLASSPATH=%WLES_PRE_CLASSPATH%;%CLASSPATH%;%WLES_POST_CLASSPATH%

Add %WLES_JAVA_OPTIONS% to the server start command after %JAVA_OPTIONS%. Listing 5-1 shows, in bold text, where to make this change.

Listing 5-1 Adding WLES_JAVA_OPTIONS to the startWebLogic File

if "%WLS_REDIRECT_LOG%"=="" (
      echo Starting WLS with line:
      echo %JAVA_HOME%\bin\java %JAVA_VM% %MEM_ARGS% %JAVA_OPTIONS% %WLES_JAVA_OPTIONS% -Dweblogic.Name=%SERVER_NAME% -Djava.security.policy=%WL_HOME%\server\lib\weblogic.policy  %PROXY_SETTINGS% %SERVER_CLASS%
      %JAVA_HOME%\bin\java %JAVA_VM% %MEM_ARGS% %JAVA_OPTIONS% %WLES_JAVA_OPTIONS% -Dweblogic.Name=%SERVER_NAME% -Djava.security.policy=%WL_HOME%\server\lib\weblogic.policy %PROXY_SETTINGS% %SERVER_CLASS%
) else (
      echo Redirecting output from WLS window to %WLS_REDIRECT_LOG%
      %JAVA_HOME%\bin\java %JAVA_VM% %MEM_ARGS% %JAVA_OPTIONS% %WLES_JAVA_OPTIONS% -Dweblogic.Name=%SERVER_NAME% -Djava.security.policy=%WL_HOME%\server\lib\weblogic.policy %PROXY_SETTINGS% %SERVER_CLASS%  > "%WLS_REDIRECT_LOG%" 2>&1 
)

Creating the security.properties File

Create a text file named security.properties and place it in the portal domain directory. You use this file to define the WebLogic Enterprise Security realm and the default realm. Listing 5-2 shows the content of this file for the realm myrealm.

Listing 5-2 security.properties File

# WebLogic Enterprise Security Configuration File
#
# This file contains WebLogic Enterprise Security configuration 
# properties. By default, the WebLogic Enterprise Security runtime 
# looks for a property file called 'security.properties' in the 
# working directory.
wles.realm=myrealm
wles.default.realm=myrealm

Replacing the Portal p13n_ejb.jar File

To integrate WebLogic Enterprise Security with WebLogic Portal, you must replace the p13n_ejb.jar file in the top-level portal application directory with the version of that file that is provided in the WebLogic Enterprise Security software distribution. The WebLogic Enterprise Security version of p13n_ejb.jar is located in BEA_HOME/wles42-ssm/wls-ssm/lib directory.

Note: BEA WebLogic Enterprise Security 4.2 SP2 includes two versions of p13n_ejb.jar, the WebLogic Server 8.1 SP3 version: p13n_ejb_81SP3.jar, and the SP4 version: p13n_ejb_81SP4.jar. Be sure to use the correct version.

Note: Because these instructions assume that you are using the sample portal application that ships with WebLogic Portal, this procedure instructs you to replace the p13n_ejb.jar in the sample portal application. To use a different portal application, replace p13n_ejb.jar in that application as well.

To replace p13n_ejb.jar, perform the following steps:

Rename the portal version of the p13n_ejb.jar. For example, rename it to p13n_ejb.jar.original. The portal application version of this file is located in BEA_HOME/weblogic81/samples/portal/portalApp.

Depending on which version of the WebLogic Server 8.1 you are using (SP3 or SP4), copy either p13n_ejb_81SP3.jar or p13n_ejb_81SP4.jar from BEA_HOME/wles42-ssm/wls-ssm/lib/ to BEA_HOME/weblogic81/samples/portal/portalApp and rename it to p13n_ejb.jar.

Replacing the Portal p13n_system.jar File

To integrate WebLogic Enterprise Security with WebLogic Portal, you must replace the p13n_system.jar file in the BEA_HOME/weblogic81/p13n/lib directory with the version of that file that is provided in the WebLogic Enterprise Security software distribution. The WebLogic Enterprise Security version of this file is located in BEA_HOME/wles42-ssm/wls-ssm/lib directory.

Note: BEA WebLogic Enterprise Security 4.2 SP2 includes two versions of p13n_system.jar, the WebLogic Server 8.1 SP3 version: p13n_system_81SP3.jar, and the SP4 version: p13n_system_81SP4.jar. Be sure to use the correct version.

Note: Once you replace p13n_system.jar in the /lib directory of the WebLogic Platform installation, all portal domains configured for that installation must be WebLogic Enterprise Security enabled.

To replace p13n_system.jar, perform the following steps:

Rename the portal version of the p13n_system.jar. For example, rename it to p13n_system.jar.original. The portal version of this file is located in BEA_HOME/weblogic81/p13n/lib.

Depending on which version of the WebLogic Server 8.1 you are using (SP3 or SP4), copy either p13n_system_81SP3.jar or p13n_system_81SP4.jar from BEA_HOME/wles42-ssm/wls-ssm/lib/ to BEA_HOME/weblogic81/p13n/lib and rename it to p13n_system.jar.

Replacing the DefaultAuthorizerInit.ldift File

WebLogic Server 8.1 uses the DefaultAuthorizerInit.ldift file to establish access controls for J2EE resources. By default, WebLogic Server allows access to all J2EE resources to users in the Everyone role. To protect these resources, WebLogic Server provides the Administration Console and other tools to define security policies.

When using WebLogic Enterprise Security, there is a need to supersede the WebLogic Server J2EE access controls. The DefaultAuthorizerInit.ldift file, provided in the WebLogic Enterprise Security 4.2 SP2 for the WebLogic Server 8.1 Security Service Module, is used for this purpose.

To enable the WebLogic Enterprise Security DefaultAuthorizerInit.ldift file to supersede WebLogic Server access controls for J2EE resources in the sample portal application, perform the following steps:

Copy DefaultAuthorizer.ldift from BEA_HOME/wls42-ssm/wls-ssm/domain to BEA_HOME/user_projects/domains/mydomain.

If the /ldap directory exists at the following location, delete it: BEA_HOME/user_projects/domains/portalDomain/portalServer

Note: Because these instructions assume that you are using the sample portal domain that ships with WebLogic Portal, this procedure instructs you to delete the ldap directory in the portalDomain/portalServer directory. Repeat the above steps for all WebLogic Enterprise Security enabled portal domains.

Configuring Policy for the Portal Application

Developing a policy typically begins by determining which resources you need to protect. You then create the resources, roles and rules to define which privileges apply to each resource, and under what specific conditions. Next, you create policy rules that control which users and groups belong in these roles, and under what conditions. Later on in this section you are instructed to deploy this policy to the WebLogic Server 8.1 Security Service Module that you use to control access to your portal application resources.

WebLogic Enterprise Security provides two means for configuring portal application policy, the Administration Console and the Policy Import Tool. In this section you are directed to use the Administration Console to configure policy.

For more information on how to use the Administration Console to configure policy, see "Overview" in the Policy Managers Guide and "Policies" in the Console Help.

For instructions on how to use the Policy Import Tool to import policy files, see the Creating Policy Files section in the Policy Managers Guide.

This section covers the following topics:

Creating the Identity Directory and Users

This section describes how to use the Administration Console to create an identity directory, groups, and users for a portal application.

Note: This procedure uses myusers as the name of the Identity directory; however, you can use a different name.

To create the Identity directory and users:

In the left pane, click Identity. The Identity page displays the name of each directory available.

Click New. The Create Directory dialog box appears.

In the Name text box, type myusers and click OK. The myusers directory appears in the list of Identity directories.

Open the Identity folder, and click Identity.

The Identity page displays the name of each directory available.

From the Identity page, select myusers.

In the left pane, click Users. The Users page displays.

Click New. The Create User dialog box appears.

Create visitor users for your portal application.

Configuring Resources and Privilege

This section describes how to use the Administration Console to define the portal application resources that you will protect using WebLogic Enterprise Security.

To configure resources, perform the following tasks:

Creating the Realm Resource

Note: myrealm is used is this procedure as the realm name because the WebLogic Portal sample portal application exists in the myrealm realm. You can choose any realm name for your portal application.

To create a realm resources, perform the following steps:

Open the Resources folder, and click Resources. The Resource page displays.

Select Policy and click New. The Create Resource dialog box appears.

In the Name text box, enter myrealm, select Binding from the Type drop-down list box, and click Ok. The myrealm resource appears under the Policy node.

Select the myrealm resource and click Configure. The Configure Resource dialog box appears.

From the Type drop-down list box, select Binding Application, check the Distribution Point and Allow Virtual Resources check boxes, and click Ok.

Refer to Table 5-2 and modify the configuration of the ASI Authorization provider as described there.

Table 5-2 Portal Security Configuration Modifications

Security Provider	Configuration Settings
ASI Authorization Provider	On the Details tab, set the Application Deployment Parent to `//app/policy/myrealm` and click Apply. On the Bindings tab, from the Bind drop-down menu, select `//app/policy/myrealm`, and click Bind.

Creating the Shared Resources

Figure 5-2 shows the shared resources that you must create.

Figure 5-2 shared Resources

shared Resources

To create the shared resources, perform the following steps:

Select the myrealm resource and click New. The Create Resource dialog box appears.

In the Name text box, enter shared, and click Ok. The shared resource appears under myrealm.

Select the shared resource and click Configure. The Configure Resource dialog box appears.

Check the Allow Virtual Resources and click Ok.

Click the shared resource and click New. The Create Resource dialog box appears.

In the Name text box, enter adm and click Ok. The adm resource appears under the shared resource.

To configure the jdbc, jndi, and svr resources as shown in Figure 5-2, repeat steps 5 and 6 for each resource.

Creating the Console Resources

Figure 5-3 shows the console resources that you must create.

Figure 5-3 console Resources

console Resources

To create the console resources, perform the following steps:

Select the myrealm resource and click New. The Create Resource dialog box appears.

In the Name text box, enter console, and click Ok. The console resource appears under myrealm.

To create the url, console, login, and bea_logo.gif resources as shown in Figure 5-3, repeat steps 1 and 2 for each resource.

Select the console resource directly under myrealm and click Configure. The Configure Resource dialog box appears.

Check the Allow Virtual Resources and click Ok.

Creating the PortalApp Resources

Note: This procedure uses portalApp as the name of the portal application resource because it is the name of the WebLogic Portal sample portal application. However, you should use the name of your portal application when creating the portal application resource.

Figure 5-4 shows the portalApp resources that you must create.

Figure 5-4 PortalApp Resources

PortalApp Resources

To create the portalApp resources, perform the following steps:

Select the myrealm resource and click New. The Create Resource dialog box appears.

In the Name text box, enter portalApp, and click Ok. The portalApp resource appears under myrealm.

Select the portalApp resource and click New. The Create Resource dialog box appears.

In the Name text box, enter ejb and click Ok. The ejb resource appears under the portalApp resource.

Select the ejb resource and click Configure. The Configure Resource dialog box appears.

Check the Allow Virtual Resources and click Ok.

To configure the url resource, repeat steps 5 and 6.

Select the portalApp resource and click New. The Create Resource dialog box appears.

In the Name text box, enter wlp and click Ok. The wlp resource appears under the portalApp resource. Do not configure the wlp resource to allow virtual resources.

Select the url resource and click New. The Create Resource dialog box appears.

In the Name text box, enter portalappadmin and click Ok. The portalappadmin resource appears under the url.

Repeat steps 10 and 11 to create the remaining resources shown under the portalApp resource in Figure 5-4. Do not configure any of the remaining resources to allow virtual resources.

Configuring Resource Privileges

This section describes how to use the Administration Console to define portal application privileges.

To create privileges, perform the following steps:

Open the Resources folder, and click Privileges. The existing privileges appear in the right pane.

Click New. The Create Privilege dialog box appears.

In the Privilege Name text box, enter lookup and click Ok. The lookup privilege appears in the list of privileges.

Click New. The Create Privilege dialog box appears.

In the Privilege Name text box, enter reserve and click Ok. The reserve privilege appears in the list of privileges.

Click OK.

Creating Roles and Role Policy

This section describes how to use the Administration Console to create roles that will be used to control access to portal application resources.

Table 5-3 lists and describes the role policy that you have to create for the WebLogic Portal domain.

Table 5-3 Roles and Role Policy

Policy	Description
`grant(//role/Everyone, //app/policy/myrealm, //sgrp/myusers/allusers/) if true;`	Creates the role policy necessary for the Everyone role to be used in the `myrealm` Identity directory. Note: If you do not create the `Everyone` role policy correctly, none of the policy rules defined in Table 5-4 that use the `Everyone` role will work properly.

Policy

Description

grant(//role/Everyone, //app/policy/myrealm, //sgrp/myusers/allusers/) if true;

Creates the role policy necessary for the Everyone role to be used in the myrealm Identity directory.

Note: If you do not create the Everyone role policy correctly, none of the policy rules defined in Table 5-4 that use the Everyone role will work properly.

To create roles and role policies, refer to Table 5-3 and perform the following steps:

Caution: If you do not create the Everyone role policy correctly, none of the policy rules defined in Table 5-4 that use the Everyone role will work properly.

Open the Roles folder, and click Roles. The Roles page displays.

Click New. The Create Role dialog box appears.

In the Role Name text box, enter Everyone, and click Ok. The role appears in the list of roles.

Select the Everyone role and click Assign. The Role Policy page appears.

Click New. The Create Role Policy dialog box appears.

Select the Roles tab and add the Everyone role to the Selected Roles column.

Select the Resources tab and add myrealm to the Selected Resources column.

Select the Identities tab, add the allusers user to the Selected Identities column, and click Ok. The role appears in the Role policy page.

Creating Policy Rules

This section describes how to use the Administration Console to create policy rules to protect portal application resources.

Table 5-4 lists and describes the policy rules that you have to create for the WebLogic Portal domain to protect the sample portal application resources.

Table 5-4 Policy Rules

Policy	Description
`grant(any, //app/policy/myrealm/shared/svr, //role/Admin) if true;` `grant(any, //app/policy/myrealm/shared/adm, //role/Admin) if true;`	Administrative roles for booting the WebLogic Portal server and performing administrative tasks.
`grant(any, //app/policy/myrealm/portalApp/url/ sampleportal, //role/Everyone) if true;` `grant(any, //app/policy/myrealm/portalApp/url/tutorial, //role/Everyone) if true;` `grant(any, //app/policy/myrealm/portalApp/url/welcome.jsp, //role/Everyone) if true;`	Grants those in the role Everyone (includes the anonymous user) access to all of the tutorial and sample portal url resources. This policy creates Portal open by default orientation for these two sample portals.
`grant(GET, //app/policy/myrealm/portalApp/url/ portalappadmin/framework, //role/Everyone) if true;`	Allows unauthenticated users to access images used on the Administration Portal login page.
`grant(any, //app/policy/myrealm/portalApp/url/ portalappadmin, //role/ PortalSystemAdministrator) if true;`	Only those in the role PortalSystemAdministrator have access to the WebLogic Portal Administration url Portal resources
`grant(lookup, //app/policy/myrealm/shared/jndi, //role/Everyone) if true;`	Grants permission for those is the Everyone role to lookup JNDI resources.
`grant(reserve, //app/policy/myrealm/shared/jdbc, //role/Everyone) if true;`	Grants permission for those is the Everyone role to reserve JDBC resources.
`grant(any, //app/policy/myrealm/console, //role/Admin) if true;`	Grants permission for those in the Admin role to access the url resources of the WebLogic Server console.
`grant(GET, //app/policy/myrealm/console/url/console/login/bea_logo.gif, //role/Everyone) if true;`	Grants permission for those in the Everyone role to get access to the bea logo gif image resource in the WebLogic Server console
`grant(any, //app/policy/myrealm/portalApp/ejb, //role/Everyone)`	Initially allows access to all EJB methods.

Perform the following steps create the policy rules listed in Table 5-4.

Open the Policy folder, and click Policy. The Policy page displays.

Click New. The Create Rule dialog box appears.

Select the Grant radio button.

To add one or more privileges to a rule:

Click the Privileges tab, select the any privilege from the Select Privileges from Group list box and add it to the Selected Privileges box.

Click the Resources tab, select the svr resource from the Child Resource box and add it to the Selected Resources box.

Note: If Table 5-4 lists multiple resources for a single privilege and role, you may add all of the resources at once.

Click the Policy Subjects, select the Admin role from the Roles List box, add it to the Selected Policy Subjects box, and click Ok.

Repeat step 4 for each of the remaining policy rules listed in Table 5-4.

Policy for Visitor Entitlements to Portal Resources

Visitor entitlements is a mechanism used by WebLogic Portal for determining who may access the resources in a portal application and what they may do with those resources. WebLogic Enterprise Security provides a means of defining robust role-based policy for portal resources. The resources that can be entitled within a portal application include:

desktops
books
pages
portlets
look and feels

Table 5-5 shows the capabilities of each of these resources:

Table 5-5 Capabilities According to Resource Type

Resource Type	View	Minimize	Maximize	Edit	Remove
Desktop	x
Book	x	x	x
Page	x
Portlet	x	x	x	x	x
Look & Feel	x

The capabilities listed in Table 5-5 are defined as follows:

View—Determines whether or not the user can see the resource.
Minimize/Maximize—Determines whether or not the user is able to minimize or maximize the portlet or book. This applies to books within a page, not to the primary book.
Edit—Determines whether or not the user can edit the resource properties.
Remove —Determines whether or not the user can remove the portlet from a page.

The following topics provide information on how to use WebLogic Enterprise Security to configure portal resources:

Configuring Policy for Desktops

A desktop is a view of the portal that the visitor accesses. There can be one or more desktops per portal, so the portal is effectively a container for the desktops. A Desktop is referenced as a resource in WebLogic Enterprise Security in the following manner:

//app/policy/myrealm/portalapp/wlp/sampleportal/com_bea_p13n/Desktop/samplePortal

where:

myrealm is the realm in which the portal application is installed

portalapp is the portal application directory

sampleportal is the name of the sample portal application

samplePortal is the label definition of the desktop.

If you define policy at the samplePortal level, you can control access at the samplePortal desktop level.

Table 5-6 shows a policy that would grant the view privilege to the samplePortal desktop for visitors in the SampleVisitor role.

Table 5-6 SamplePortal Policy

Role Type	Privilege	Resource	Policy Subject
Grant	view	`/myrealm/portalapp/wlp/sampleportal/com_bea_p13n/Desktop/samplePortal`	SampleVisitor role

Configuring Policy for Books

A book is a collection of pages. A book is referenced as a resource in WebLogic Enterprise Security in the following manner:

//app/policy/myrealm/portalapp/wlp/sampleportal/com_bea_p13n/Book/book_1

where book_1 is the label definition of the book.

If you define policy at the book_1 level, you can control access at the book_1 book level.

Table 5-7 shows a policy that would grant the view privilege to the book_1 book for visitors in the SampleVisitor role.

Table 5-7 Book_1 Policy

Role Type	Privilege	Resource	Policy Subject
Grant	view	`/myrealm/portalapp/wlp/sampleportal/com_bea_p13n/Book/book_1`	SampleVisitor role

Configuring Policy for Pages

A page is the primary holder of individual portal elements such as portlets. A page is referenced as a resource in WebLogic Enterprise Security in the following manner:

//app/policy/myrealm/portalapp/wlp/sampleportal/com_bea_p13n/Page/page_2

where page_2 is the label definition of the page.

If you define policy at the page_2 level, you can control access at the page_2 page level.

Table 5-8 shows a policy that would grant the view privilege to the page_2 page for visitors in the SampleVisitor role.

Table 5-8 Page_2 Policy

Role Type	Privilege	Resource	Policy Subject
Grant	view	`/myrealm/portalapp/wlp/sampleportal/ com_bea_p13n/Page/page_2`	SampleVisitor role

Configuring Policy for Portlets

Portlets are the visible components that act as the interface to applications and content. A portlet is referenced as a resource in WebLogic Enterprise Security in the following manner:

//app/policy/myrealm/portalapp/wlp/sampleportal/com_bea_p13n/Portlet/portlet_login1

where portlet_login is the label definition of the portlet.

If you define policy at the portlet_login1level, you can control access at the portlet_login1 Portlet level.

Table 5-9 shows a policy that would grant the view privilege to the portlet_login1 Portlet for visitors in the SampleVisitor role.

Table 5-9 Portlet_login1 Policy

Role Type	Privilege	Resource	Policy Subject
Grant	view	`/myrealm/portalapp/wlp/sampleportal/com_bea_p13n/Portlet/portlet_login1`	SampleVisitor role

Configuring Policy for Look and Feels

A Look and Feel is a selectable combination of skins and skeletons that determine the physical appearance of a portal desktop. A Look and Feel is referenced as a resource in WebLogic Enterprise Security in the following manner:

//app/policy/myrealm/portalapp/wlp/sampleportal/com_bea_p13n/LookAndFeel/textLookAndFeel

where textLookAndFeel is the label definition of the Look and Feel.

If you define policy at the textLookAndFeellevel, you can control access at the textLookAndFeel level.

Table 5-10 shows a policy that would grant the view privilege to the textLookAndFeel Look and Feel visitors in the SampleVisitor role.

Table 5-10 Portlet_login1 Policy

Role Type	Privilege	Resource	Policy Subject
Grant	view	`/myrealm/portalapp/wlp/sampleportal/com_bea_p13n/LookAndFeel/textLookAndFeel`	SampleVisitor role

Defining Policy for Portlets using Instance ID

Portlets have a unique instance ID that allows for granular policy definition outside the standard hierarchy of the Desktop->Book->Page->Portlet. To use this in WebLogic Enterprise Security, add a condition statement in the portlet rule that adds the portlet instance ID. For example:

grant( [//priv/maximized,//priv/minimized,//priv/view], //app/policy/myrealm/portalapp/wlp/sampleportal/com_bea_p13n/Portlet
/ortlet_login1, //role/Operator) if instanceid = "portlet_login1";

Table 5-11 shows a policy that would grant the view privilege to the portlet_login1 Portlet for visitors in the Operator role.

Table 5-11 Portlet_login1 Policy Using Instance ID

Role Type	Privilege	Resource	Policy Subject	Condition
Grant	view	`/myrealm/portalapp/wlp/sampleportal/com_bea_p13n/Portlet/portlet_login1`	Operator role	`if instanceid = "portlet_login1";`

Discovering Portal Application Resources

When developing policy for use with a Security Service Module, you can use the discovery mode feature of to WebLogic Enterprise Security Administration Application to help build your policy. Instructions for using discovery mode are provided in the Resource Discovery section in the Policy Managers Guide.

Distributing Policy and Security Configuration

Distribute the policy and security configuration to the WebLogic Server 8.1 Security Service Module.

For information on how to distribute policy and security configuration, see "Deployment in the Administration Application Guide and the Console Help. Be sure to verify the results of your distribution.

Starting the WebLogic Portal Server

To start a WebLogic Portal server, perform the following steps:

Open a shell (command prompt) on the machine on which you created the portal domain.

Change to the portal domain directory: BEA_HOME\user_projects\domains\portalDomain.

Run the following script:

On Windows: startWebLogic.cmd
On UNIX: startWeblogic.sh

Configuring Portal Administration to Use the WebLogic Authenticator

To use the WebLogic Authentication provider to manage administrative users for portal administration, perform the following steps:

Within the Portal Administration console, go to Service Administration.

Select Authentication Hierarchy Service.

Add WebLogicAuthenticator to the Authentication Providers to Build list.

Using Portal Administration Tools to Create a Portal Desktop

Before you can use WebLogic Enterprise Security to control access to a portal desktop, you must use WebLogic Portal Administration Tools to create a portal desktop.

To create a portal desktops, perform the following steps:

To have full control of the definition and instance labels, use WebLogic Workshop 8.1 to create the initial portal application.

Using the initial portal application as a template, use the Portal Administration Tools to create the portal desktops.

For instructions on using Portal Administration Tools to create portal desktops, see Create a Desktop in the WebLogic Administration Portal Online Help.

To create a portal desktop for the sample portal application using the Portal Administration Tools, perform the following steps:

Open a browser and point it to: http://localhost:7001/testportalappAdmin. The Sign In page appears.

Enter Username: portaladmin, Password: portaladmin, and click Sign In. The Portal Resources navigation tree appears.

Right click on Portals and select New Portal. The Portal Resource page appears.

Enter a Name for this Portal, for example: myportal, enter a partial URL for this Portal, for example: myportal, and click Save. The Available Portals list appears.

Select the myportal link from the list. The Editing Portal: myportal page appears.

Click Create New Desktop. The New Desktop Properties dialog appears.

Enter Title, for example: mydesktop and a Partial URL, for example: mydesktop.

Choose a Template:Choose: testportalweb/test.portal and click Create New Desktop. Desktops contained in Portal myportal list appear.

Select mydesktop from the list. The Editing Desktop: mydesktop page appears.

Select View Desktop. mydesktop is displayed in a new browser window. Verify that the desktop contains the sample portal application.

Close the mydesktop browser and Logout. The Sign In page appears.

Exit the Portal Administration Tool by closing its browser.

Accessing the Portal Application

To access a portal application running on a portal server, open a browser and point it to the desktop URL. For example, if you set up the desktop for the sample portal application as described in Using Portal Administration Tools to Create a Portal Desktop, you can access the sample portal application using the following URL:

http://<host_name>:7001/sampleportal/appmanager/myportal/mydesktop

where <host_name> is the machine on which portal application is running.