Security
|
 |
 |
|
 |
 |
WebLogic Portal Security
Overview
This document covers various security issues related to portal application development.
For an overview of portal security and information on core security concepts, see Securing Portal Applications in the WebLogic Workshop help system.
Preventing Direct Access to Portlet Resources
When you develop portlets that use JSPs and other resources, you can control access to those portlets using visitor entitlments in the WebLogic Administration Portal.
However, if you fail to use J2EE security to also restrict access to those JSPs and other resources, a user can access those resources directly by typing the exact URL to those resources. For example:
http://avitek/avitekPortal/portlets/hr/vpSalaries.jsp
To prevent direct access to portal resources, add a security entry in your portal Web project's /WEB-INF/web.xml file. For example:
<!-- Use declarative security to block direct address to portlets -->
<security-constraint>
<display-name>Default Portlet Security Constraints</display-name>
<web-resource-collection>
<web-resource-name>Portlet Directory</web-resource-name>
<url-pattern>/portlets/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
This security entry in web.xml protects all files in the portal Web project's /portlet directory and subdirectories from being directly accessed by a request URL.
Entitled portlets will still display these protected resources, but only users entitled to access those portlets will see them.
Note: A <url-pattern> of /portlets/*.jsp is not legal syntax and does not protect subdirectories.
This approach, however, means that resources such as images that do not require security restrictions be stored in unsecured directories (for example, outside of the /portlets directory).
