Security Model for WebCenter Portal Pages

In PS3, the WebCenter Portal Framework allows you to create page hierarchies.  As you may know, it is typical to manage Portal pages in a hierarchical way.  The hierarchical structure allows ease of management and security provisioning.   In this blog post, I want to give a quick overview of the new model for securing page hierarchies.  Here is the algorithm:

  • root page has a default entitlement (policy)
  • subordinate pages may inherit entitlement from parent page
  • subordinate pages may override default by specifying a new entitlement
  • to be able to a view a page, one should have “view” access on all parent pages in the hierarchy

Let’s look at an example.  All the subordinate pages – i.e. “hardware”, “software”, “warranty” pages inherit entitlements from “products” page.   Here, we have placed an entitlement on products page.  The entitlement grants access rights to the marketing-role.

Subordinate pages (like “hardware”) inherit entitlements from “products” page. i.e. marketing-role has all access rights that it was granted at the “products” page level.

Now, lets see the effect of these entitlements at runtime.  Login as mark (marketing-role).  He should be able to create a subordinate page under “products” and also perform operations like “edit” for all pages under “products”.

If we login as another user (say “sam” who is not in marketing-role), he will not be able to create a subordinate page (see “create page” option is disabled) and perform operations like “edit” etc. for any page under “products”

For more detailed information, refer to “Securing your WebCenter Portal Application” section in WebCenter Developer Guide here.

Branding WebCenter Spaces with custom Page Templates, Navigation, and Skins

“Branding” WebCenter Spaces in PS3 is easy!  There is support for complete management of “Site Resources” (like Page Templates, Navigations, Skins, etc.).  Powerful browser-based tooling allows business users to easily create, edit, and manage these resources.  Part III of User’s Guide covers these topics in detail.

A great post (and video) by John Brunswick here shows an example on how one can quickly create a new Page Template with “flyout-menus” using CSS.

Here are some screen shots of a Page Template we built using similar techniques.

Flyout menus include links and content (images) defined in the Navigation Model

Flyout menu surfacing Administration links for the space

Customizing WebCenter Spaces’ System pages

One of the themes for the new WebCenter Spaces platform in PS3 has been to empower the users to brand, customize, and tailor the application to their needs.   One such feature is “System Page customization”.

System pages are essentially the “seeded” or “pre-configured” pages of WebCenter Spaces.  These pages can be customized to apply your company brand, inject additional functionality, etc.  The system page Task Flow Edit provides an environment for customizing all instances of a seeded task flow in a given scope in one operation.  These customizations can be applied at different levels or “scopes” – e.g. at the whole application level or at a given space level.

If you login as an administrator and click on “Administration>Pages>System Pages”, you will see a list of system pages for the application.  Customizing these will customize the pages at an application-level.   However, you can customize the system pages at a space-level by going to “Manage>All Settings>Pages>System Pages”.

Clicking on “Customize” will launch the page in composer, where you can traverse the UI element you want to customize.

You can also drill down on a Taskflow on the page and start customizing it in runtime.

Here is a snapshot of the “My Profile” system page I customized using this technique.

For more detailed information, please refer to “Working with System Pages” in WebCenter’s User Guide.

WebCenter 11gPS3 is out!

Yes, the new release of WebCenter (11g PS3) is out today!  WebCenter 11gPS3 delivers the most comprehensive platform for building portals and collaborative & social applications.  This release brings together the best features from WebLogic Portal (WLP), Oracle Portal, and WebCenter Interaction (WCI).  The best place to get information regarding the features in PS3 is still at  If you are looking for an overview, you should register for our webcast planned on Feb 2.

Enabling SSO for WebCenter 11g using Oracle Access Manager (OAM)

Configuring Single sign-on (SSO) between WebCenter components and/or other partner applications is an important part of WebCenter setup.  OAM configuration with a WebCenter application is covered in detail in the WebCenter Admin Guide on OTN.  Other solutions that can leveraged for SSO are SAML (“built-in” solution in WebLogic Server), Oracle SSO (OSSO), Windows Native Auth (WNA), etc.   Each one has different setup requirements but the following few common “concepts” and functional points exist across the board.

Policy Decision Point (PDP):  Point that evaluates and makes (authorization) decisions

Policy Enforcement Point (PEP): Point which intercepts a request and channels it to the PDP

Policy Administration Point (PAP): Points which help manage and administer policies

Identity Assertion Provider (IAP): A type of Authenticator that allows users or processes to assert their identity based on tokens (specific to the SSO solution)

The figure below shows where these functional points are.  If you note, the Webgate, an out-of-the-box plugin that intercepts HTTP requests and forwards them to the Access Manager is the PEP and the Access Server the PDP.  It also shows the sequence of the events in Single sign-on process.

%d bloggers like this: