27 Managing WebCenter Portal Application Security 27-1 27 Managing WebCenter Portal Application Security This chapter provides an introduction to securing WebCenter Portal applications, and describes the security configuration that is in place when WebCenter Portal applications and WebCenter Spaces are initially deployed. This chapter also includes a troubleshooting section that provides solutions for common security-related configuration issues. This chapter includes the following sections: ■ Section 27.1, Introduction to WebCenter Application Security ■ Section 27.2, Default Security Configuration ■ Section 27.3, Troubleshooting Security Configuration Issues For information about specific aspects of configuring security for WebCenter Portal applications, see: ■ Chapter 28, Configuring the Identity Store ■ Chapter 29, Configuring the Policy and Credential Store ■ Chapter 30, Configuring Single Sign-on ■ Chapter 31, Configuring SSL ■ Chapter 32, Configuring WS-Security ■ Chapter 33, Configuring Security for Portlet Producers ■ Chapter 34, Using WebCenter Portal Administration Console Audience The content of this chapter is intended for Fusion Middleware administrators users granted the Admin role through the Oracle WebLogic Server Administration Console. Users with the Monitor or Operator roles can view security information but cannot make changes. See also, Section 1.8, Understanding Administrative Operations, Roles, and Tools.

27.1 Introduction to WebCenter Application Security

The recommended security model for Oracle WebCenter is based on Oracle ADF Security, which implements the Java Authentication and Authorization Service JAAS model. For more information about Oracle ADF Security, see the Oracle Fusion Middleware Fusion Developers Guide for Oracle Application Development Framework. 27-2 Oracle Fusion Middleware Administrators Guide for Oracle WebCenter Figure 27–1 shows the relationship between a WebCenter application deployment and its services, servers, portlets, portlet producers, its identity, credential and policy stores, and Oracle Enterprise Manager. Figure 27–1 Basic WebCenter Application Architecture The diagram in Figure 27–2 shows a basic WebCenter application after deployment with its back-end server connections. Figure 27–2 WebCenter Application Architecture with Back-end Server Connections The diagram in Figure 27–3 shows the security layers for WebCenter applications. Managing WebCenter Portal Application Security 27-3 Figure 27–3 WebCenter Security Layers WebCenter Portal applications and WebCenter Spaces share the same four bottom security layers WebCenter Security Framework, ADF Security, OPSS, and WebLogic Server Security. The application layer will, of course, depend on the implementation. WebCenter Application Security WebCenter provides support for: ■ Application role management and privilege mapping ■ Self-registration ■ Group space security management ■ Account management ■ External application credential management WebCenter Security Framework WebCenter Security Framework provides support for: ■ Service Security Extension Framework a common permission-based and role-mapping based model for specifying the security model for services ■ Permission-based authorization ■ Role-mapping based authorization ■ External applications and credential mapping ADF Security ADF Security provides support for: ■ Page authorization ■ Task flow authorization ■ Secure connection management ■ Credential mapping APIs ■ Logout invocation, including logout from SSO-enabled configurations with Oracle Access Manager and Oracle SSO ■ Secured login URL for ADF Security-based applications the adfAuthentication servlet Oracle Platform Security Services OPSS OPSS provides support for: ■ Anonymous-role support