Oracle9iAS Portal provides a security mechanism that the PL/SQL portlets typically use. Portlet security refers to the techniques and methods used by portlets to control their access to end users. The portlets leave authentication to Oracle Portal and trust that the portal will return the correct, validated user upon request.
Oracle Portal strictly controls access to information and applications. This is accomplished by assigning specific privileges to users and groups. Portal security services allow you to specify access control programmatically and check for the appropriate privileges at runtime. The security mechanisms used by portlets ensure that only authorized users will have access to these portlets.
Security services are available through the wwsec_api package.
Key Features
Portlet security is used during two conditions in the portal. It is used when a portlet is displayed in a portal page and when a portlet is returned in a portlet list that is returned by the get_portlet_list method for database providers. Security services in the Portal framework have the following key features.
Portlet Display
Before a portlet is displayed on a page, the provider checks for the access privileges. For this, the provider needs to define the is_portlet_runnable method which calls the portlet's is_runnable method to check access privilege to the portlet.
You can find which default group a user belongs to by using the wwsec_api.get_defaultgroup function.
Check user/group privileges
You can find whether a user/group has the required privileges to customize a portlet by using the wwsec_api.has_privilege function.
Highest privilege
You can find what is the highest available privilege of a user across all groups by using the wwsec_api.get_privilege_level function.
Accessible objects
You can find all the objects a user has access to, given a privilege level, by using the wwsec_api.accessible_objects function.
You can find other similar associated functions in the API documentation.
How to Use Security Services
The portal requires the method is_portlet_runnable to be implemented by database providers. This method implements portlet security. The actual implementation of this method is up to the application to be specified, i.e. the security scheme that determines whether or not the current user has enough privileges to access the portlet is defined by the individual portlet implementation.
The portal also requires the method get_portlet_list for database providers to return the right set of portlets that are accessible by the currently logged on user.
The general model for working with the other security subsystem API can be described as follows:
1. Identify the piece of information you require for your functionality.
2. Use the appropriate method from the wwsec_api to get this value.
Tips for Using Security Services
Portlet security allows the portlet implementation to perform a run time security check to ensure that the current user has the necessary authorization to access the portlet.
When a portlet is rendered in MODE_SHOW the portlet may call the is_runnable method for database providers to determine if the portlet should be displayed for the currently logged on user or not - the portal does not make the call to this method directly. It is not a requirement, however, for the portlet to make this call. The portlet should make this call in its show mode only if it implements portlet security.
The result of the call to this method by the portlet, i.e. is_runnable for database providers determines whether the portlet is actually displayed or not. If the result is true the portlet is displayed, otherwise it is not. The portlet is rendered in MODE_SHOW when it is displayed in a portal page.
When a portlet is returned in a portlet list by a call to the provider method get_portlet_list the value of the p_security_level parameter determines the purpose of the call to the method. When the call is made from the portlet repository refresh operation in order to retrieve the master list of portlets that the provider implements the parameter p_security_level has a value of false. This indicates to the provider that no portlet security check should be made and a master list of all the portlets that the provider implements must be returned. The master list of portlets returned in this case is used to populate the portlet repository for that provider.
If the value of p_security_level is true then it is up to the provider implementation to decide whether portlet security should be performed or not. If portlet security is implemented the provider may return a different list of portlets depending on the currently logged on user.
When the portlet repository is displayed the portal calls the is_portlet_runable method for database providers for each of the portlets that exist in the portlet repository. This is done in order to display only the portlets that the currently logged on user is authorized to see. One example where the portlet repository is displayed is in the Add Portlets screen.
Security Services usage hints
The portlet security mechanism may use the context and security subsystem APIs and infrastructure. The context APIs can be used to retrieve information about the current user. The security subsystem can be used to check the privileges the current user has. For more information on the context and security subsystem APIs see the PL/SQL API Reference. While using these API, keep in mind the following:
Only authorized users should be able to see your portlet in the selection dialog. This can be done by implementing the is_portlet_runnable method in the provider. You can also allow public access to your portlet.
If a portlet does not want to render itself to a user, it should return no HTML or return an exception that the page engine will ignore. It should not return an error message.
For further details regarding implementation, refer to Implementing Security Services.
Revision History
November 27, 2000.