Weblog

«
»

Portlet security using JAZN LDAP

When building more complex portlets where you want to render parts of a page based on the current user roles you need more security then Oracle Portal offers. You can use JAAS LDAP to map your application roles to the same OID roles which are used by portal. Here’s how to do it:
Define roles in your web.xml:

  <!-- Authentication -->
  <login-config>
    <auth-method>BASIC</auth-method>
  </login-config>
  <!-- Security roles -->
  <security-role>
    <role -name>sr_customer</role -name>
  </security-role>
  <security-role>
    <role-name>sr_partner</role-name>
  </security-role>

And optionally map these roles to url patterns:

  <security-constraint>
    <web-resource-collection>
      </web><web -resource-name>customer_pages</web>
      <url-pattern>/customer/*.do</url-pattern>

    <auth-constraint>
      <role-name>sr_customer</role-name>
    </auth>
  </security-constraint>

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>partner_pages</web-resource-name>
      <url-pattern>/partner/*.do</url-pattern>
    <web-resource-collection>
    <auth-constraint>
      <role-name>sr_partner</role>
    </auth-constraint>
  </security-constraint>

To make deployment easier you can also include the orion-application.xml in your META-INF folder. For example:

< ?xml version = '1.0' encoding = 'windows-1252'?>
< !DOCTYPE orion-application PUBLIC "-//Evermind//DTD J2EE Application runtime 1.2//EN" "http://xmlns.oracle.com/ias/dtds/orion-application.dtd">
<orion -application>
  <security-role-mapping name="sr_customer">
      <group name="iteye/CUSTOMERS"/>
  </security-role-mapping >
  <security-role-mapping name="sr_partner">
      <group name="iteye/PARTNERS"/>
  </security-role-mapping >

  <jazn provider="LDAP" default-realm="iteye" location="ldap://asikkema.iteye.local:389">
      <jazn-web-app auth-method="SSO"/>
  </jazn>
</orion-application>

If you deploy your application the application roles sr_customer and sr_partner will be mapped to their OID roles (if they exist ofcourse).

In your servlets you can check if the user has the right roles with:

if (request.isUserInRole("sr_partner")) {
   //do stuff…
}

All code above goes for every standard JEE application. When building portlets you also need to make sure that the /providers URL is public. If not the application cannot be registered as a portlet in Oracle Portal. Also make sure that when registering the portlet to set the user login frequency to “Once per user session” or “Always”.

Share and Enjoy:
  • del.icio.us
  • Google Bookmarks
  • DZone
  • LinkedIn
  • SphereIt
  • StumbleUpon
  • Technorati

This entry was posted by Albert Sikkema on Friday, October 6th, 2006 at 15:31:21 and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to “Portlet security using JAZN LDAP”

  1. Tom Hofte Says:
    October 6th, 2006 at 17:26:02

    Thanks Albert! We also can use this now on our project where we are dealing with the same issue

  2. interested user Says:
    March 13th, 2007 at 16:53:01

    It is an interesting article, though I’d appreciate it if you could include additional details for some developers like me. For instance, web.xml comes with portlet containers as well as portlets. Not clear which one you meant. Directory structure would be helpful.

    Thanks
    Clip

Leave a Reply

Technology