This topic provides a basic overview of WebLogic Portal security. The other portal topics, listed in Topics Included in this Section, provide implementation instructions.
WebLogic Portal uses the underlying WebLogic Server security architecture to let you create secure portal applications. The ultimate goal of portal security is to restrict access to portal resources and administrative functions to only those users who need access to those resources and functions.
Note: Implementing security in a portal requires a basic understanding of standard security concepts, many of which are outside the scope of WebLogic documentation; for example, encryption, injection of SQL statements at login, and secure socket layers (SSL). The Related Topics section contains, among other things, links to information that will help give you a broader, more complete view of security and the issues surrounding it.
WebLogic Portal provides built-in functionality for authentication ("Who are you?") and authorization ("What can you access?").
WebLogic Portal provides many authentication samples that you can incorporate into your portals. WebLogic Portal also provides many tools for user/group management.
Implementing Authentication contains details about the authentication examples contained in the Tutorial Portal.
WebLogic Portal also provides two sample login portlets you can reuse in your portals to authenticate WebLogic users:
You can also build other types of authentication supported by WebLogic Server.
The WebLogic Administration Portal provides tools for managing users, groups, and setting user/group properties. For information on managing users and groups, see:
There are three fundamental categories of things that can be secured in portals:
Using the WebLogic Server concept of security roles, WebLogic Portal lets you dynamically match users to roles at login. Different roles are, in turn, assigned to different portal resources, administrative tools, and J2EE resources so users can access only the resources and tools that their assigned roles allow.
The WebLogic Administration Portal provides the tools for managing users, portal delegated administration roles, visitor entitlement roles, interaction management rules, content management, and portal resources.
You can lock down the WebLogic administration portal with delegated administration, which provides secure administrative access to the WebLogic Administration Portal tools. Delegated administration security is based on the delegated administration roles you create.
The WebLogic Workshop Portal Extensions and the WebLogic Administration Portal provide tools for creating and managing portals, desktops, shells, books, pages, layouts, look & feels, and portlets. You can control access to portal resources for two types of users: administrators and visitors.
Administrators - You can control the portal resources that can be managed by portal administrators using delegated administration.
Visitors - You can control visitor access to portals and portal resources with visitor entitlements. Visitor entitlements are based on the visitor entitlement roles you create.
J2EE resources are the application framework and logic (Web applications, JSPs, EJBs, and so on) for which you can control visitor access. Security on J2EE resources is based on global security roles set up in WebLogic Server and applied to the individual J2EE resources. Security roles for J2EE resources are different than security roles that users can belong to, though both types of roles use the same roles architecture.
The portal sample domain <BEA_HOME>\<WEBLOGIC_HOME>\samples\domains\portal and any portal domain you create with the Configuration Wizard include the following default users. You can add these usernames and passwords to your existing domains.
| Username | Password | Belongs to these groups |
| weblogic Note: This is the username for the portal sample domain. In a new portal domain created with the Configuration Wizard, this can be whatever was used for the primary system administrator. |
weblogic Note: This is the password for the portal sample domain. In a new portal domain created with the Configuration Wizard, this can be whatever was used for the primary system administrator. |
Administrators PortalSystemAdministrators |
portaladmin This is a default user for managing and setting up delegated administration on portals. About deleting portaladmin: If your domain does not contain portals, you can delete this user. However, this user is part of the campaign service configuration. Deleting portaladmin will cause deployment failure unless you perform the "Set up e-mail security" modifications as described in Creating Campaigns on BEA's e-docs Web site. |
portaladmin | Administrators PortalSystemAdministrators |
The Open Web Application Security Project (OWASP)
Unified User Profiles (edocs)
Creating User Profile Properties
Using Portal Controls (for user/group management)
User/Group Management JSP Tags
For details on managing users and groups, see the WebLogic Administration portal online help system, also available on e-docs.