Enhancing Java Portlets 7-53 throw new PortletExceptionio; } Cancel automatically redirects to the page, so will only recieve OK or APPLY if action = null { data.setPortletTitletitle; data.putStringstock,stock; try { PortletRendererUtil.submitEditDatarequest, data; } catchIOException ioe { throw new PortletExceptionioe; } return; } Otherwise just render the form title = data.getPortletTitle; stock = data.getStringstock; out.printtable border=0 tr ; out.printlntd width=20 p align=rightTitle:ptd td width=80; out.printinput type=TEXT name= + HttpPortletRendererUtil.portletParameterprr, myportlet_title + value= + title + ; out.printlntd tr; out.printtr td width=20 p align=rightStock Codes:ptd td width=80; out.printinput type=TEXT name= + HttpPortletRendererUtil.portletParameterprr, myportlet_stock + value= + stock + ; out.printlnbr For example use US Stock Codes separated by comma: i SUNW,IBM,ORCLi; out.printtd tr; out.printlntable; } } 3. Create the following class, NetXmethodsServicesStockquoteStockQuoteServiceStub.java, for your stock portlet: package oracle.portal.sample.v2.devguide.webservices; import oracle.soap.transport.http.OracleSOAPHTTPConnection; import org.apache.soap.encoding.SOAPMappingRegistry; import java.net.URL; import org.apache.soap.rpc.Call; import org.apache.soap.Constants; import java.util.Vector; import org.apache.soap.rpc.Parameter; import org.apache.soap.rpc.Response; import org.apache.soap.Fault; import org.apache.soap.SOAPException; import java.util.Properties; public class NetXmethodsServicesStockquoteStockQuoteServiceStub { public NetXmethodsServicesStockquoteStockQuoteServiceStub { 7-54 Oracle Fusion Middleware Developers Guide for Oracle Portal m_httpConnection = new OracleSOAPHTTPConnection; m_smr = new SOAPMappingRegistry; } private String _endpoint = http:64.124.140.30:9090soap; public String getEndpoint { return _endpoint; } public void setEndpointString endpoint { _endpoint = endpoint; } private OracleSOAPHTTPConnection m_httpConnection = null; private SOAPMappingRegistry m_smr = null; public Float getQuoteString symbol throws Exception { Float returnVal = null; URL endpointURL = new URL_endpoint; Call call = new Call; call.setSOAPTransportm_httpConnection; call.setTargetObjectURIurn:xmethods-delayed-quotes; call.setMethodNamegetQuote; call.setEncodingStyleURIConstants.NS_URI_SOAP_ENC; Vector params = new Vector; params.addElementnew Parametersymbol, String.class, symbol, null; call.setParamsparams; call.setSOAPMappingRegistrym_smr; Response response = call.invokeendpointURL, urn:xmethods-delayed-quotesgetQuote; if response.generatedFault { Parameter result = response.getReturnValue; returnVal = Floatresult.getValue; } else { Fault fault = response.getFault; throw new SOAPExceptionfault.getFaultCode, fault.getFaultString; } return returnVal; } public void setMaintainSessionboolean maintainSession { m_httpConnection.setMaintainSessionmaintainSession; } public boolean getMaintainSession { return m_httpConnection.getMaintainSession; } public void setTransportPropertiesProperties props { m_httpConnection.setPropertiesprops; } public Properties getTransportProperties { return m_httpConnection.getProperties; } } Enhancing Java Portlets 7-55 4. Create a Web provider through provider.xml for this portlet. Notice the use of the preferenceStore element to allow for the storing of personalizations: provider class=oracle.portal.provider.v2.DefaultProviderDefinition sessionfalsesession passAllUrlParamsfalsepassAllUrlParams preferenceStore class=oracle.portal.provider. v2.preference.FilePreferenceStore nameprefStore1name useHashingtrueuseHashing preferenceStore portlet class=oracle.portal.provider.v2.DefaultPortletDefinition id1id nameMyStockPortletname titleMy Stock Portlettitle descriptionSimple Stock Portlet to show Export and Import feature of web providersdescription timeout80timeout showEditToPublicfalseshowEditToPublic hasAboutfalsehasAbout showEditfalseshowEdit hasHelpfalsehasHelp showEditDefaulttrueshowEditDefault showDetailsfalseshowDetails renderer class=oracle.portal.provider.v2.render.RenderManager renderContainertruerenderContainer renderCustomizetruerenderCustomize autoRedirecttrueautoRedirect contentTypetexthtmlcontentType showPage class=oracle.portal.sample.v2. devguide.tx.MyStockPortletShowRenderer editDefaultsPage class=oracle.portal.sample.v2.devguide.tx. MyStockPortletEditDefaultsRenderer renderer personalizationManager class=oracle.portal.provider.v2.personalize. PrefStorePersonalizationManager dataClassoracle.portal.provider.v2.personalize. NameValuePersonalizationObject dataClass personalizationManager portlet provider For more information on the syntax of provider.xml, refer to the provider Javadoc on OTN: http:www.oracle.comtechnologyproductsiasportalhtmljavadocx ml_tag_reference_v2.html 5. Register this export-enabled provider with the source Oracle Portal instance. For more information about registering Web providers, refer to Section 6.5.5, Registering and Viewing Your Oracle PDK-Java Portlet . Note: If the Web provider is running in a secured environment, remember to provide the proxy host and port while starting up Oracle WebLogic Server. For example: JAVA_OPTIONS=“-Dhttp.proxyHost=www-proxy.us.oracle.com -Dhttp.proxyPort=80 7-56 Oracle Fusion Middleware Developers Guide for Oracle Portal

6. Create two regions on a sample page and add My Stock Portlet to the first region.

For information on creating regions and pages, refer to the Oracle Fusion Middleware Users Guide for Oracle Portal. 7. Edit the page and click the Edit Defaults icon for My Stock Portlet. Choose the stock codes SUNW,IBM,ORCL. For more information on how to edit defaults for a portlet on a page, refer to the Oracle Fusion Middleware Users Guide for Oracle Portal.

8. Add My Stock Portlet to a second region and again edit the defaults. Use a

different stock code this time, MSFT. 9. Export the page group containing this page. For instructions on how to export a page group, refer to Chapter 10, Exporting and Importing Content, in the Oracle Fusion Middleware Administrators Guide for Oracle Portal. 10. Import the page group into a target Oracle Portal instance. For instructions on how to import a page group, refer to Chapter 10, Exporting and Importing Content, in the Oracle Fusion Middleware Administrators Guide for Oracle Portal. 11. View the page with My Stock Portlet in the target Oracle Portal instance and ensure that the personalizations were maintained.

7.2.8.3 Implementing Security for ExportImport

Transporting personalizations can present a security concern if your portlet stores sensitive data and is not operating in a secured environment. At the provider and portlet level, Oracle Portal provides several ways for you to secure the export and subsequent import of portlet personalizations. To better secure portlets and providers for exportation and importation, you can take the following actions: ■ Section 7.2.8.3.1, Securing Provider Communications . Using Oracle Portal configuration options, you can secure the communications between providers and Oracle Portal. This step in turn makes the export and import of portlets more secure. ■ Section 7.2.8.3.2, Disabling ExportImport of Personalizations . You can disable the export of all portlet personalization data for each Web application. This method provides the greatest security but only at a significant cost in functionality because it prevents administrators from retaining their default personalizations when the portlet is moved. ■ Section 7.2.8.3.3, Obfuscating Data for Transport Automatic . By default, Oracle Portal obfuscates but does not encrypt personalization data before transporting it. ■ Section 7.2.8.3.4, Encrypting Personalization Data for Transport . You may want to encrypt personalization data for transport if any of the following are true: – Your Web provider connection is not secured using HTTPS. – You want to ensure the data is secured during transit. – You want the data to remain secure while stored in the Oracle Portal instance. ■ Section 7.2.8.3.5, Exporting by Reference . Instead of including portlet personalization data directly in the transport set, you can include it by reference in the transport set. Because the data itself is not present in the transport set, export by reference is the most secure way of transporting personalizations.

7.2.8.3.1 Securing Provider Communications If the security of exportingimporting

portlets is of concern to you, you should configure Oracle Portal to secure Enhancing Java Portlets 7-57 communications with your portlet providers. The chief mechanisms for securing provider communications in Oracle Portal are as follows: ■ Message authentication through a Hashed Message Authentication Code HMAC algorithm. For more information on message authentication for providers, refer to Section 6.1.7.8, Message Authentication, in the Oracle Fusion Middleware Administrators Guide for Oracle Portal. ■ HTTPS between providers and Oracle Portal. For more information on HTTPS for provider communications, refer to Section 6.1.7.9, HTTPS Communication, in the Oracle Fusion Middleware Administrators Guide for Oracle Portal.

7.2.8.3.2 Disabling ExportImport of Personalizations The JNDI variable,

oracleportalproviderglobaltransportEnabled, controls whether to allow the exportation and importation of personalizations. If you set the variable to true, personalizations are transported as part of export and import. If you set it to false, they are not transported. You can set JNDI variables for PDK-Java through a Deployment Plan set on the PDK-Java web application in the Oracle WebLogic Server. This can be done using the WebLogic Server Administration Console. Deployment Plans allow for easy modification of an applications configuration, without modifying the packaged deployment descriptor files. After setting up the Deployment Plan, you can make manual changes to it for the JNDI variable within the pre-existing WEB-INFweb.xml module descriptor, like the following: module-descriptor external=false root-elementweb-approot-element uriWEB-INFweb.xmluri variable-assignment nameprovider_transportEnabledname xpathweb-appenv-entry[env-entry-name=quot;oracleportalproviderglobaltran sportEnabledquot;]env-entry-valuexpath variable-assignment module-descriptor The variable definition of this variable assignment is made directly under the deployment-plan tag, and will look like: variable-definition variable nameprovider_transportEnabledname valuefalsevalue variable variable-definition This sets oracleportalproviderglobaltransportEnabled to false.

7.2.8.3.3 Obfuscating Data for Transport Automatic By default, personalization data is

encoded Base64. This encoding ensures that data is obfuscated during transport. You do not need to take any actions to leverage Base64 encoding as it is provided by Note: You cannot use certificates for the HTTPS communication with providers. See: Oracle Fusion Middleware Deploying Applications to Oracle WebLogic Server 7-58 Oracle Fusion Middleware Developers Guide for Oracle Portal default. However, if you want greater security, you can encrypt the data. Refer to Section 7.2.8.3.4, Encrypting Personalization Data for Transport . 7.2.8.3.4 Encrypting Personalization Data for Transport By implementing the oracle.portal.provider.v2.security.CipherManager class for your provider, you can encrypt the personalization data prior to exporting it. Upon import, the cipher manager is invoked again to decrypt the data. Refer to Section 7.2.8.3.6, Encrypting Personalization Data Example .

7.2.8.3.5 Exporting by Reference As mentioned previously, the default behavior for

exporting of portlets is to include the actual personalization data in the transport set. For a more secure transport, you can code your portlet such that the personalizations are exported using pointers rather than by including the actual preference data. When the transport set is imported, the target Oracle Portal instance sends the pointer back to the Web provider, which then has the opportunity to reassociate the actual data with the new portlet instance. Refer to Section 7.2.8.3.7, Exporting by Reference Example .

7.2.8.3.6 Encrypting Personalization Data Example To encrypt personalization data in your

Web provider, you need to create your own cipher manager and associate it with your portlet provider. This example provides a simple, insecure cipher manager for illustrative purposes only. To implement a secure implementation of the cipher manager for your production system, you would need to significantly extend this sample. Some of the issues you would need to consider for a production implementation are as follows: ■ Do not hold the key object in memory. Read it from a persistent store as necessary. ■ Use the providers PreferenceStore API supported by a DBPreferenceStore to work in the clustered case. ■ On import, if the cipher manager instance obtained from provider.xml matches the class name returned in the SOAP message, that CipherManager instance is used to perform the decryption. Hence, the instance maintained in the portletprovider definition may be configured using any applicable means for example, tags in provider.xml or JNDI variable and that configuration is reused on import. To encrypt personalization data in your Web provider, do the following: Note: If you choose to encrypt your Web providers for export using the cipher manager, you must also devise your own key management strategy for the encryption algorithm. Note: When exporting across security zones, exporting by reference may not work effectively. In general, you should only employ export by reference when transporting within the same general security environment. Note: The following sample is for illustrative purposes only. You would need to significantly enhance it for use in a production environment.