Oracle Application Server Portal Developer Kit (PDK)
Installing the Oracle Internet Directory Portlets

Introduction

Oracle Application Server Portal (Portal) uses OracleAS Single Sign-On (SSO) to authenticate users. SSO in turn uses the OracleAS Internet Directory (OID) as a repository of users, groups and permissions. The OID portlets use the OID server to get information about the user that is accessing the portlet.

The OID sample consists of two portlets: Contact portlet and Protected Portlet

• The Contact portlet will display information differently based on the user logged in.
• The Protected portlet will only display when you log into portal as a member of a group specified in the Web Provider.

Related Documents

• OracleAS Portal Documentation
• OracleAS Portal Developer Kit - Installing the PDK-Java Framework and Samples
• Overview of Provider Security
• Oracle Internet Directory Administrator's Guide

Assumptions

1. You have installed the samples downloaded with PDK-Java and understand the steps required to display a Web portlet on an Oracle Portal page. For more information on installing the sample, please review the article on installing the PDK-Java Framework and Samples.
2. The Web Providers can access the OID server associated with the Portal(s) on which it is registered.
3. You have access to an OID account that has proxy privileges. For maximum security, you should create an OID account for each web provider. This allows you to control the OID privileges based on the individual requirements of each Web Provider.

Communicating the contact details of the OID server

This section describes the how to communicate the contact details of the OID server to your Web provider.

The Portal Developer Kit needs to open one or more connections to the OID server during its operation so that properties of a user can be queried. To open these connections the following information is required:-

1. Host machine where OID is hosted e.g."machine.domain.com"
2. Port used by OID server e.g. 389
3. User name for an OID account that has proxy privileges
4. Password for the OID account

For the purposes of this sample we provide an insecure extension of OidInfo called oracle.portal.sample.v2.devguide.oid.UnsafeOidInfo . As the name implies this is NOT a secure way of accessing the OID password and it should not be used in a production implementation. However, it enables you to quickly and easily provide your OID server contact details in the deployment properties file called oid.properties to render the samples.

When using portlet that access the OID server in production, you should create a java class that extends the abstract class oracle.portal.provider.v2.oid.OidInfo. This abstract class has public setters and package getters for the OID connection details. It also has a method public abstract void init(ProviderContext pc), which gets called immediately after your OidInfo extension is constructed. You can use this method to read deployment properties or other context information to locate and load the necessary information. When you create your own extension of OidInfo you need to ensure that the OID access information remains secure.

When you create your own extension of OidInfo you need to ensure that the OID access information remains secure.

Configuring the OidManager

To configure OidManager you need to modify the deployment properties file for the provider service. The OID sample provider service included with the PDK can be found in the following location:

[OC4J_INSTANCE}/applications/jpdk/jpdk/WEB-INF/deployment/oid.properties.

Open the deployment properties file and edit the following entries:

1. oidManager=true Switch on the Oid Manager it is switched off by default
2. oidAdminClass=<name of class that extends oracle.portal.provider.v2.oid.OidInfo>

Configuring the OidManager using UnsafeOidInfo

To configure UnsafeOidInfo for this sample (remember is not a secure implementation) modify the deployment properties file [OC4J_INSTANCE}/applications/jpdk/jpdk/WEB-INF/deployment/oid.properties.

1. oidAdminClass=oracle.portal.sample.v2.devguide.oid.UnsafeOidInfo
2. oidHost= Host machine where OID is hosted e.g."machine.us.oracle.com"
3. oidPort= Port used by OID server e.g.389
4. oidUser= User name for an OID user that has proxy privileges
5. oidPasswd= Password for the OID user

oidManager=true
oidAdminClass=oracle.portal.sample.v2.devguide.oid.UnsafeOidInfo
oidHost=machine.domain.com
oidPort=389
oidUser=webprovider1
oidPasswd=welcome1

Configuring the Group Security Manager

Your Provider must be configured to use the OidManager for this feature to work. Once you have configured your provider to use OidManager, you must modify your provider definition file for each portlet you want to protect with the GroupSecurityManager.

Also for the portlets you want to protect you must enable "callIsRunnable" and "callGetPortlet". Setting these parameters forces a authorisation checks to be made when this provider is registered. If the user doing the registration is not a member of the group then the portlet will not be registered.

The OID sample provider definition file included with the PDK can be found in the following location:

[OC4J_INSTANCE}/applications/jpdk/jpdk/WEB-INF/providers/oid/provider.xml

Open this provider definition file and within the <securityManager> tag, add one or more <group> tags containing the distinguished name (dn) of one or more Portal user groups whose members you would like to allow access to the "protected" portlet. For example:

<portlet class="oracle.portal.provider.v2.DefaultPortletDefinition">
  <id>2</id>
  <name>Protected</name>
  ...
  <callIsRunnable>true</callIsRunnable>
  <callGetPortlet>true</callGetPortlet>
  <renderer class="oracle.portal.provider.v2.render.RenderManager">
    <renderContainer>true</renderContainer>
    <contentType>text/html</contentType>
    <showPage>/htdocs/oid/protected.jsp</showPage>
  </renderer>
  <securityManager class="oracle.portal.provider.v2.security.GroupSecurityManager">
      <group>cn=group1,cn=portal.xxxxxx.yyyy,cn=groups,dc=uk,dc=oracle,dc=com</group>
      <group>cn=group2,cn=portal.xxxxxx.yyyy,cn=groups,dc=uk,dc=oracle,dc=com</group>
  </securityManager>
</portlet>

Note: You can easily determine the dn of a Portal User Group by doing the following:

1. Log on to the Portal as an administrator.
2. In the Portal sub-tab in the Administer tab on the Builder Page, select Global Settings in the Services portlet.
3. Select the SSO/OID tab.
4. Find the field marked Group Creation Base DN and note its current value (e.g. cn=portal.xxxxxx.yyyy,cn=groups,dc=uk,dc=oracle,dc=com).
5. The dn of any Portal User Group can be found by concatenating the following in order
   • The prefix "cn="
   • The name of the portal user group in lower case followed by a comma
   • The Group Creation Base DN from the global settings dialog

So for example, if the Group Creation Base DN on the global settings page is cn=portal.xxxxxx.yyyy,cn=groups,dc=uk,dc=oracle,dc=com the dn for the AUTHENTICATED_USERS group would be cn=authenticated_users,cn=portal.xxxxxx.yyyy,cn=groups,dc=uk,dc=oracle,dc=com.

If you define multiple groups for a single GroupSecurityManager the portlet will be accessible to users who are members of at least one of the specified groups. Users who are not members of any of the groups will be denied access to the portlet.

Viewing the portlets

To view the sample portlets you must do the following:

• Configure the provider to use OidManager (completed in the Configuring the OidManager using UnsafeOidInfo section)
• Configure the "Protected" portlet so it is accessible to certain Portal user groups (ompleted in the Configuring the GroupSecurityManager section)
• Register the provider with a portal using the following parameters:
  • Name: SampleOIDProvider
  • Display Name: Sample OID Provider
  • Timeout: 100
  • Implementation Style: Web
  • URL: http://<host>:<port>/jpdk/providers
  • Service Id: urn:oid
  • Login Frequency: Never
• Create a publicly accessible portal page and add the portlets to the page

Once you have created your portal page, you should be able to view the portlets. Try logging in as different users or not logging in at all and view the page. The "Contact" portlet will display different information depending on the user that is logged on. The "Protected" portlet will only be shown when you log into OracleAS Portal as a user who is of a group you specified when configuring the GroupSecurityManager.