Oracle® Fusion Middleware Security Guide for Oracle WebLogic Portal 10g Release 3 (10.3.4) Part Number E14251-05 |
|
|
View PDF |
You can control visitor access to portal resources using visitor entitlements in the WebLogic Portal Administration Console. However, you must also use deployment descriptors to secure the JSPs and page flows contained in a portlet; otherwise a malicious user can access those resources directly if they know the correct URL.
Note:
Page flows are a feature of Apache Beehive, which is an optional framework that you can integrate with WLP. See "Apache Beehive and Apache Struts Supported Configurations" in the Oracle Fusion Middleware Portal Development Guide for Oracle WebLogic Portal.This chapter contains the following section:
You must use J2EE security to prevent direct access to JSPs and page flows; otherwise, a user can access those resources directly by entering the correct URL.
Note:
Descriptor security is only intended to prevent direct access to the JSP or page flow using a URL; it is not used when a portal renders a portlet.Scoped roles are defined in their respective deployment descriptors.
Enterprise-application-scoped roles are defined in application.xml
and weblogic-application.xml
Web-application-scoped roles which apply to resources within a project are defined in web.xml
and weblogic.xml
EJB-scoped roles which apply only to resources within an EJB are defined in ejb-jar.xml
and weblogic-ejb-jar.xml
An example URL to a JSP is:
http://emp_app/employmentPortal/portlets/hr/vpSalaries.jsp
To prevent direct access to portlets, add a security entry in your portal web project's /WEB-INF/web.xml
file. Example 4-1 shows an example web.xml
file.
Example 4-1 Using Declarative Security to Block Direct Access to Portlets
!-- Use declarative security to block direct address to portlets --> <security-constraint> <display-name>Default Portlet Security Constraints</display-name> <web-resource-collection> <web-resource-name>Portlet Directory</web-resource-name> <url-pattern>/portlets/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>Admin</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint>
This security entry in the web.xml
file protects all files in the portal web project's /portlet
directory and its subdirectories from being directly accessed using a request URL.
Caution:
A <url-pattern> of /portlets/*.jsp is not legal syntax and does not protect subdirectories.These protected resources are still displayed in entitled portlets, but only for users entitled to access those portlets.
Resources such as images, which do not require security restrictions, must be stored in unsecured directories outside the /portlets
directory.
Note:
Certain URL or EJB resources can be secured using the WebLogic Server Administration Console. Before using this technique, you must copy security configurations from existing deployment descriptors during the initial deployment of URL or EJB resources, or reinitialize the security configuration for URL or EJB resources to their original state. For more information see Import Security Data from Deployment Descriptors Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help.