Portlet security refers to the techniques and methods used by portlets to control their access to end users.  Portlet security is used in two areas in the portal.  It is used when a portlet is displayed in a portal page and when a portlet is returned in a portlet list that is returned by the get_portlet_list method (for database providers) and Provider.getPortlets() (for Web providers).

The security mechanisms used by portlets ensure that only authorized users will have access to these portlets.

How to Use Portlet Security

The portal requires the method is_portlet_runable to be implemented by database providers and PortletSecurityManager.hasAccess() by Web providers.  This method implements portlet security.  The actual implementation of this method is up to the application to be specified, i.e. the security scheme that determines whether or not the current user has enough privileges to access the portlet is defined by the individual portlet implementation.

The portal also requires the method get_portlet_list for database providers and Provider.getPortlets() for web providers to return the right set of portlets that are accessible by the currently logged on user.

Tips for Using Portlet Security

Portlet security allows the portlet implementation to perform a run time security check to ensure that the current user has the necessary authorization to access the portlet.

When a portlet is rendered in MODE_SHOW the portlet may call the is_portlet_runnable method for database providers and PortletSecurityManager.hasAccess() for Web providers to determine if the portlet should be displayed for the currently logged on user or not - the portal does not make the call to this method directly.  It is not a requirement, however, for the portlet to make this call.  The portlet should make this call in its show mode only if it implements portlet security.  

The result of the call to this method by the portlet, i.e. is_portlet_runnable for database providers and PortletSecurityManager.hasAccess() for Web providers, determines whether the portlet is actually displayed or.  If the result is true the portlet is displayed, otherwise it is not.  The portlet is rendered in MODE_SHOW when it is displayed in an Oracle9iAS Portal page.

When a portlet is returned in a portlet list by a call to the provider method get_portlet_list the value of the p_security_level parameter determines the purpose of the call to the method.  When the call is made from the portlet repository refresh operation in order to retrieve the master list of portlets that the provider implements the parameter p_security_level has a value of false.  This indicates to the provider that no portlet security check should be made and a master list of all the portlets that the provider implements must be returned.  The master list of portlets returned in this case is used to populate the portlet repository for that provider.  

If the value of p_security_level is true then it is up to the provider implementation to decide whether portlet security should be performed or not.  If portlet security is implemented the provider may return a different list of portlets depending on the currently logged on user.  For Web providers the flag byUser is used to indicate to the Provider.getPortlets() method whether any portlet security should be performed or not.

When the portlet repository is displayed the portal calls the is_portlet_runable method for database providers and PortletSecurityManager.hasAccess() for Web providers for each of the portlets that exist in the portlet repository.  This is done in order to display only the portlets that the currently logged on user is authorized to see.  One example where the portlet repository is displayed is in the Add Portlets screen.

Portlet security implementation hints

The portlet security mechanism may use the context and security subsystem APIs and infrastructure.  The context APIs can be used to retrieve information about the current user.  The security subsystem can be used to check the privileges the current user has.  For more information on the context and security subsystem APIs see the PL/SQL API Reference.
 

Revision History

• November 1, 2000.