Security
![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
This document covers various security issues related to portal application development.
For an overview of portal security and information on core security concepts, see Securing Portal Applications in the WebLogic Workshop help system.
When you develop portlets that use JSPs and other resources, you can control access to those portlets using visitor entitlments in the WebLogic Administration Portal.
However, if you fail to use J2EE security to also restrict access to those JSPs and other resources, a user can access those resources directly by typing the exact URL to those resources. For example:
http://avitek/avitekPortal/portlets/hr/vpSalaries.jsp
To prevent direct access to portal resources, add a security entry in your portal Web project's /WEB-INF/web.xml
file. For example:
<!-- Use declarative security to block direct address to portlets -->
<security-constraint>
<display-name>Default Portlet Security Constraints</display-name>
<web-resource-collection>
<web-resource-name>Portlet Directory</web-resource-name>
<url-pattern>/portlets/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
This security entry in web.xml
protects all files in the portal Web project's /portlet
directory and subdirectories from being directly accessed by a request URL.
Entitled portlets will still display these protected resources, but only users entitled to access those portlets will see them.
Note: A <url-pattern> of /portlets/*.jsp
is not legal syntax and does not protect subdirectories.
This approach, however, means that resources such as images that do not require security restrictions be stored in unsecured directories (for example, outside of the /portlets
directory).
![]() |
![]() |
![]() |