Enhancing Java Portlets 7-53
throw new PortletExceptionio; }
Cancel automatically redirects to the page, so will only recieve OK or APPLY
if action = null {
data.setPortletTitletitle; data.putStringstock,stock;
try {
PortletRendererUtil.submitEditDatarequest, data; }
catchIOException ioe {
throw new PortletExceptionioe; }
return; }
Otherwise just render the form title = data.getPortletTitle;
stock = data.getStringstock; out.printtable border=0 tr ;
out.printlntd width=20 p align=rightTitle:ptd td width=80;
out.printinput type=TEXT name= + HttpPortletRendererUtil.portletParameterprr, myportlet_title
+ value= + title + ; out.printlntd tr;
out.printtr td width=20 p align=rightStock Codes:ptd td width=80;
out.printinput type=TEXT name= + HttpPortletRendererUtil.portletParameterprr, myportlet_stock
+ value= + stock + ; out.printlnbr For example use US Stock Codes separated by comma:
i SUNW,IBM,ORCLi; out.printtd tr;
out.printlntable; }
}
3.
Create the following class, NetXmethodsServicesStockquoteStockQuoteServiceStub.java, for
your stock portlet:
package oracle.portal.sample.v2.devguide.webservices; import oracle.soap.transport.http.OracleSOAPHTTPConnection;
import org.apache.soap.encoding.SOAPMappingRegistry; import java.net.URL;
import org.apache.soap.rpc.Call; import org.apache.soap.Constants;
import java.util.Vector; import org.apache.soap.rpc.Parameter;
import org.apache.soap.rpc.Response; import org.apache.soap.Fault;
import org.apache.soap.SOAPException; import java.util.Properties;
public class NetXmethodsServicesStockquoteStockQuoteServiceStub {
public NetXmethodsServicesStockquoteStockQuoteServiceStub {
7-54 Oracle Fusion Middleware Developers Guide for Oracle Portal
m_httpConnection = new OracleSOAPHTTPConnection; m_smr = new SOAPMappingRegistry;
} private String _endpoint = http:64.124.140.30:9090soap;
public String getEndpoint {
return _endpoint; }
public void setEndpointString endpoint {
_endpoint = endpoint; }
private OracleSOAPHTTPConnection m_httpConnection = null; private SOAPMappingRegistry m_smr = null;
public Float getQuoteString symbol throws Exception {
Float returnVal = null; URL endpointURL = new URL_endpoint;
Call call = new Call; call.setSOAPTransportm_httpConnection;
call.setTargetObjectURIurn:xmethods-delayed-quotes; call.setMethodNamegetQuote;
call.setEncodingStyleURIConstants.NS_URI_SOAP_ENC; Vector params = new Vector;
params.addElementnew Parametersymbol, String.class, symbol, null; call.setParamsparams;
call.setSOAPMappingRegistrym_smr; Response response = call.invokeendpointURL,
urn:xmethods-delayed-quotesgetQuote; if response.generatedFault
{ Parameter result = response.getReturnValue;
returnVal = Floatresult.getValue; }
else {
Fault fault = response.getFault; throw new SOAPExceptionfault.getFaultCode, fault.getFaultString;
} return returnVal;
} public void setMaintainSessionboolean maintainSession
{ m_httpConnection.setMaintainSessionmaintainSession;
} public boolean getMaintainSession
{ return m_httpConnection.getMaintainSession;
} public void setTransportPropertiesProperties props
{ m_httpConnection.setPropertiesprops;
} public Properties getTransportProperties
{ return m_httpConnection.getProperties;
} }
Enhancing Java Portlets 7-55
4.
Create a Web provider through provider.xml for this portlet. Notice the use of the preferenceStore element to allow for the storing of personalizations:
provider class=oracle.portal.provider.v2.DefaultProviderDefinition sessionfalsesession
passAllUrlParamsfalsepassAllUrlParams preferenceStore class=oracle.portal.provider.
v2.preference.FilePreferenceStore nameprefStore1name
useHashingtrueuseHashing preferenceStore
portlet class=oracle.portal.provider.v2.DefaultPortletDefinition id1id
nameMyStockPortletname titleMy Stock Portlettitle
descriptionSimple Stock Portlet to show Export and Import feature of web providersdescription
timeout80timeout showEditToPublicfalseshowEditToPublic
hasAboutfalsehasAbout showEditfalseshowEdit
hasHelpfalsehasHelp showEditDefaulttrueshowEditDefault
showDetailsfalseshowDetails renderer class=oracle.portal.provider.v2.render.RenderManager
renderContainertruerenderContainer renderCustomizetruerenderCustomize
autoRedirecttrueautoRedirect contentTypetexthtmlcontentType
showPage class=oracle.portal.sample.v2. devguide.tx.MyStockPortletShowRenderer
editDefaultsPage class=oracle.portal.sample.v2.devguide.tx. MyStockPortletEditDefaultsRenderer
renderer personalizationManager class=oracle.portal.provider.v2.personalize.
PrefStorePersonalizationManager dataClassoracle.portal.provider.v2.personalize.
NameValuePersonalizationObject dataClass
personalizationManager portlet
provider
For more information on the syntax of provider.xml, refer to the provider Javadoc on OTN:
http:www.oracle.comtechnologyproductsiasportalhtmljavadocx ml_tag_reference_v2.html
5.
Register this export-enabled provider with the source Oracle Portal instance. For more information about registering Web providers, refer to
Section 6.5.5, Registering and Viewing Your Oracle PDK-Java Portlet
.
Note: If the Web provider is running in a secured environment,
remember to provide the proxy host and port while starting up Oracle WebLogic Server. For example:
JAVA_OPTIONS=“-Dhttp.proxyHost=www-proxy.us.oracle.com -Dhttp.proxyPort=80
7-56 Oracle Fusion Middleware Developers Guide for Oracle Portal
6. Create two regions on a sample page and add My Stock Portlet to the first region.
For information on creating regions and pages, refer to the Oracle Fusion Middleware Users Guide for Oracle Portal.
7.
Edit the page and click the Edit Defaults icon for My Stock Portlet. Choose the stock codes SUNW,IBM,ORCL. For more information on how to edit defaults for a
portlet on a page, refer to the Oracle Fusion Middleware Users Guide for Oracle Portal.
8. Add My Stock Portlet to a second region and again edit the defaults. Use a
different stock code this time, MSFT.
9.
Export the page group containing this page. For instructions on how to export a page group, refer to Chapter 10, Exporting and Importing Content, in the Oracle
Fusion Middleware Administrators Guide for Oracle Portal.
10.
Import the page group into a target Oracle Portal instance. For instructions on how to import a page group, refer to Chapter 10, Exporting and Importing Content, in
the Oracle Fusion Middleware Administrators Guide for Oracle Portal.
11.
View the page with My Stock Portlet in the target Oracle Portal instance and ensure that the personalizations were maintained.
7.2.8.3 Implementing Security for ExportImport
Transporting personalizations can present a security concern if your portlet stores sensitive data and is not operating in a secured environment. At the provider and
portlet level, Oracle Portal provides several ways for you to secure the export and subsequent import of portlet personalizations. To better secure portlets and providers
for exportation and importation, you can take the following actions:
■
Section 7.2.8.3.1, Securing Provider Communications . Using Oracle Portal
configuration options, you can secure the communications between providers and Oracle Portal. This step in turn makes the export and import of portlets more
secure.
■
Section 7.2.8.3.2, Disabling ExportImport of Personalizations . You can disable
the export of all portlet personalization data for each Web application. This method provides the greatest security but only at a significant cost in functionality
because it prevents administrators from retaining their default personalizations when the portlet is moved.
■
Section 7.2.8.3.3, Obfuscating Data for Transport Automatic . By default, Oracle
Portal obfuscates but does not encrypt personalization data before transporting it.
■
Section 7.2.8.3.4, Encrypting Personalization Data for Transport . You may want
to encrypt personalization data for transport if any of the following are true:
– Your Web provider connection is not secured using HTTPS.
– You want to ensure the data is secured during transit.
– You want the data to remain secure while stored in the Oracle Portal instance.
■
Section 7.2.8.3.5, Exporting by Reference . Instead of including portlet
personalization data directly in the transport set, you can include it by reference in the transport set. Because the data itself is not present in the transport set, export
by reference is the most secure way of transporting personalizations.
7.2.8.3.1 Securing Provider Communications If the security of exportingimporting
portlets is of concern to you, you should configure Oracle Portal to secure
Enhancing Java Portlets 7-57
communications with your portlet providers. The chief mechanisms for securing provider communications in Oracle Portal are as follows:
■
Message authentication through a Hashed Message Authentication Code HMAC algorithm. For more information on message authentication for providers, refer to
Section 6.1.7.8, Message Authentication, in the Oracle Fusion Middleware Administrators Guide for Oracle Portal.
■
HTTPS between providers and Oracle Portal. For more information on HTTPS for provider communications, refer to Section 6.1.7.9, HTTPS Communication, in the
Oracle Fusion Middleware Administrators Guide for Oracle Portal.
7.2.8.3.2 Disabling ExportImport of Personalizations The JNDI variable,
oracleportalproviderglobaltransportEnabled, controls whether to allow the exportation and importation of personalizations. If you set the variable to
true, personalizations are transported as part of export and import. If you set it to false, they are not transported. You can set JNDI variables for PDK-Java through a
Deployment Plan set on the PDK-Java web application in the Oracle WebLogic Server. This can be done using the WebLogic Server Administration Console. Deployment
Plans allow for easy modification of an applications configuration, without modifying the packaged deployment descriptor files. After setting up the Deployment Plan, you
can make manual changes to it for the JNDI variable within the pre-existing WEB-INFweb.xml module descriptor, like the following:
module-descriptor external=false root-elementweb-approot-element
uriWEB-INFweb.xmluri variable-assignment
nameprovider_transportEnabledname xpathweb-appenv-entry[env-entry-name=quot;oracleportalproviderglobaltran
sportEnabledquot;]env-entry-valuexpath variable-assignment
module-descriptor
The variable definition of this variable assignment is made directly under the deployment-plan tag, and will look like:
variable-definition variable
nameprovider_transportEnabledname valuefalsevalue
variable variable-definition
This sets oracleportalproviderglobaltransportEnabled to false.
7.2.8.3.3 Obfuscating Data for Transport Automatic By default, personalization data is
encoded Base64. This encoding ensures that data is obfuscated during transport. You do not need to take any actions to leverage Base64 encoding as it is provided by
Note: You cannot use certificates for the HTTPS communication with
providers.
See: Oracle Fusion Middleware Deploying Applications to Oracle
WebLogic Server
7-58 Oracle Fusion Middleware Developers Guide for Oracle Portal
default. However, if you want greater security, you can encrypt the data. Refer to Section 7.2.8.3.4, Encrypting Personalization Data for Transport
. 7.2.8.3.4
Encrypting Personalization Data for Transport By implementing the
oracle.portal.provider.v2.security.CipherManager class for your provider, you can encrypt the personalization data prior to exporting it. Upon import,
the cipher manager is invoked again to decrypt the data. Refer to Section 7.2.8.3.6,
Encrypting Personalization Data Example .
7.2.8.3.5 Exporting by Reference As mentioned previously, the default behavior for
exporting of portlets is to include the actual personalization data in the transport set. For a more secure transport, you can code your portlet such that the personalizations
are exported using pointers rather than by including the actual preference data. When the transport set is imported, the target Oracle Portal instance sends the pointer back
to the Web provider, which then has the opportunity to reassociate the actual data with the new portlet instance. Refer to
Section 7.2.8.3.7, Exporting by Reference Example
.
7.2.8.3.6 Encrypting Personalization Data Example To encrypt personalization data in your
Web provider, you need to create your own cipher manager and associate it with your portlet provider. This example provides a simple, insecure cipher manager for
illustrative purposes only. To implement a secure implementation of the cipher manager for your production system, you would need to significantly extend this
sample. Some of the issues you would need to consider for a production implementation are as follows:
■
Do not hold the key object in memory. Read it from a persistent store as necessary.
■
Use the providers PreferenceStore API supported by a DBPreferenceStore to work in the clustered case.
■
On import, if the cipher manager instance obtained from provider.xml matches the class name returned in the SOAP message, that CipherManager instance is
used to perform the decryption. Hence, the instance maintained in the portletprovider definition may be configured using any applicable means for
example, tags in provider.xml or JNDI variable and that configuration is reused on import.
To encrypt personalization data in your Web provider, do the following:
Note: If you choose to encrypt your Web providers for export using
the cipher manager, you must also devise your own key management strategy for the encryption algorithm.
Note: When exporting across security zones, exporting by reference
may not work effectively. In general, you should only employ export by reference when transporting within the same general security
environment.
Note: The following sample is for illustrative purposes only. You
would need to significantly enhance it for use in a production environment.