Thanks all for attending my session on WebCenter Portal Security. The slides are here.
In PS3, the WebCenter Portal Framework allows you to create page hierarchies. As you may know, it is typical to manage Portal pages in a hierarchical way. The hierarchical structure allows ease of management and security provisioning. In this blog post, I want to give a quick overview of the new model for securing page hierarchies. Here is the algorithm:
- root page has a default entitlement (policy)
- subordinate pages may inherit entitlement from parent page
- subordinate pages may override default by specifying a new entitlement
- to be able to a view a page, one should have “view” access on all parent pages in the hierarchy
Let’s look at an example. All the subordinate pages – i.e. “hardware”, “software”, “warranty” pages inherit entitlements from “products” page. Here, we have placed an entitlement on products page. The entitlement grants access rights to the marketing-role.
Subordinate pages (like “hardware”) inherit entitlements from “products” page. i.e. marketing-role has all access rights that it was granted at the “products” page level.
Now, lets see the effect of these entitlements at runtime. Login as mark (marketing-role). He should be able to create a subordinate page under “products” and also perform operations like “edit” for all pages under “products”.
If we login as another user (say “sam” who is not in marketing-role), he will not be able to create a subordinate page (see “create page” option is disabled) and perform operations like “edit” etc. for any page under “products”
For more detailed information, refer to “Securing your WebCenter Portal Application” section in WebCenter Developer Guide here.
Configuring Single sign-on (SSO) between WebCenter components and/or other partner applications is an important part of WebCenter setup. OAM configuration with a WebCenter application is covered in detail in the WebCenter Admin Guide on OTN. Other solutions that can leveraged for SSO are SAML (“built-in” solution in WebLogic Server), Oracle SSO (OSSO), Windows Native Auth (WNA), etc. Each one has different setup requirements but the following few common “concepts” and functional points exist across the board.
Policy Decision Point (PDP): Point that evaluates and makes (authorization) decisions
Policy Enforcement Point (PEP): Point which intercepts a request and channels it to the PDP
Policy Administration Point (PAP): Points which help manage and administer policies
Identity Assertion Provider (IAP): A type of Authenticator that allows users or processes to assert their identity based on tokens (specific to the SSO solution)
The figure below shows where these functional points are. If you note, the Webgate, an out-of-the-box plugin that intercepts HTTP requests and forwards them to the Access Manager is the PEP and the Access Server the PDP. It also shows the sequence of the events in Single sign-on process.