Managing WebCenter Portal Application Security 27-3 Figure 27–3 WebCenter Security Layers WebCenter Portal applications and WebCenter Spaces share the same four bottom security layers WebCenter Security Framework, ADF Security, OPSS, and WebLogic Server Security. The application layer will, of course, depend on the implementation. WebCenter Application Security WebCenter provides support for: ■ Application role management and privilege mapping ■ Self-registration ■ Group space security management ■ Account management ■ External application credential management WebCenter Security Framework WebCenter Security Framework provides support for: ■ Service Security Extension Framework a common permission-based and role-mapping based model for specifying the security model for services ■ Permission-based authorization ■ Role-mapping based authorization ■ External applications and credential mapping ADF Security ADF Security provides support for: ■ Page authorization ■ Task flow authorization ■ Secure connection management ■ Credential mapping APIs ■ Logout invocation, including logout from SSO-enabled configurations with Oracle Access Manager and Oracle SSO ■ Secured login URL for ADF Security-based applications the adfAuthentication servlet Oracle Platform Security Services OPSS OPSS provides support for: ■ Anonymous-role support 27-4 Oracle Fusion Middleware Administrators Guide for Oracle WebCenter ■ Authenticated-role support ■ Identity store, policy store, and credential store ■ Identity Management Services ■ Oracle Web Service Manager Security WebLogic Server Security WebLogic Server Security provides support for: ■ WebLogic authenticators ■ Identity asserters ■ J2EE container security ■ SSL

27.2 Default Security Configuration

This section describes the security configuration that is in place when WebCenter Portal applications and WebCenter Spaces are deployed, and the tasks that must be carried out after deployment: ■ Section 27.2.1, Administrator Accounts ■ Section 27.2.2, Application Roles and Enterprise Roles ■ Section 27.2.3, Default Identity and Policy Stores ■ Section 27.2.4, Default Policy Store Permissions and Grants ■ Section 27.2.5, Post-deployment Security Configuration Tasks

27.2.1 Administrator Accounts

WebCenter Portal applications do not contribute any pre-seeded accounts, and therefore rely on the Fusion Middleware administrator account weblogic by default that is set up when Fusion Middleware is installed. Use this administrator account to log into Fusion Middleware Control and set up new accounts. Although WebCenter Spaces does not contribute any pre-seeded accounts, there are certain pre-seeded grants that are given to the default Fusion Middleware administrator account weblogic for the WebCenter Spaces application. If your installation does not use weblogic as the account name for the Fusion Middleware administrator role, you must configure one or more other users for this role as described in Section 28.4.1, Granting the WebCenter Spaces Administrator Role.

27.2.2 Application Roles and Enterprise Roles

Application roles differ from roles that appear in the identity store portion of the embedded LDAP server or in roles defined by the enterprise LDAP provider. Application roles are specific to an application and defined in an application-specific stripe of the policy store. Enterprise roles, which are stored in the enterprise identity store, apply at the enterprise level. That is, the roles and permissions that you or a system administrator define within the enterprise identity store do not imply permissions within an application. Managing WebCenter Portal Application Security 27-5 Within WebCenter Spaces or a WebCenter Portal application you can assign application roles and permissions to users in the corporate identity store. You can also assign application roles and permissions to enterprise roles defined in the enterprise identity store.

27.2.3 Default Identity and Policy Stores

By default, WebCenter applications are configured to use a file-based embedded LDAP identity store to store application-level user IDs, and a file-based LDAP policy store to store policy grants. Although secure, the embedded LDAP identity store is not a production-class store and should be replaced with an external LDAP-based identity store such as Oracle Internet Directory for enterprise production environments. For a list of supported identity store LDAP servers, see Supported LDAP Identity Store Types in the Oracle Fusion Middleware Security Guide. The default file-based policy store can only be used for single-node WebCenter Spaces configurations. For multi-node configurations, you must reassociate the policy and credential store with an external LDAP-based store as described in Chapter 29, Configuring the Policy and Credential Store. The policy and credential stores can use either Oracle Internet Directory 11gR1 or 10.1.4.3, or Oracle RDBMS releases 10.2.0.4 or later; releases 11.1.0.7 or later; and releases 11.2.0.1 or later. Note that when using an external LDAP-based store, the policy and credential stores must use the same LDAP server. Similarly, when using a database, the policy and credential stores must use the same database. For more information about the supported identity store and policy and credential store configurations, see Supported LDAP-, DB-, and File-Based Services in the Oracle Fusion Middleware Security Guide. For more information on reconfiguring the identity, policy and credential stores, see Chapter 28, Configuring the Identity Store and Chapter 29, Configuring the Policy and Credential Store.

27.2.3.1 File-based Credential Store

The out-of-the-box credential store is wallet-based that is, file-based and is contained in the file cwallet.sso. The location of this file is specified in the Oracle Platform Note: By default, Oracle WebCenter Discussions is configured to use the embedded LDAP identity store: All users in the embedded LDAP store can log on to the discussions server, and all users in the Administrators group have administrative privileges on Oracle WebCenter Discussions. If you reassociate the identity store with an external LDAP server, you must either move the Fusion Middleware administrator account to the external LDAP as described in Section 28.5, Moving the Administrator Account to an External LDAP Server , or if you choose not to move the administrator account, you must perform some additional steps to identify the new administrator account for the discussions server as described in Section 28.5.1, Migrating the WebCenter Discussions Server to Use an External LDAP. For WebCenter Spaces, both WebCenter Spaces and Oracle Content Server must share the same LDAP server. For more information, see Section 28.6, Configuring the Oracle Content Server to Share the WebCenter Spaces Identity Store LDAP Server. 27-6 Oracle Fusion Middleware Administrators Guide for Oracle WebCenter Security configuration file jps-config.xml. When you reassociate the policy store to an LDAP directory, the application credentials are automatically migrated to the same LDAP directory as the policy store.

27.2.4 Default Policy Store Permissions and Grants

The ADF Security permissions model supports both permission-based and role-based authorization. These two types of authorization, and the default Policy Store permissions and code based grants are discussed in the following sections: ■ Section 27.2.4.1, Permission-based Authorization ■ Section 27.2.4.2, Role-mapping Based Authorization ■ Section 27.2.4.3, Default Policy Store Permissions for WebCenter Spaces ■ Section 27.2.4.4, Default Code-based Grants

27.2.4.1 Permission-based Authorization

Permission-based authorization is used for services, such as Lists, where access control is implemented within the WebCenter application using Oracle Platform Security Services OPSS. WebCenter Spaces provides extensive user and role management tools with which you can create application roles, and define what permissions should be granted to those roles. For information on managing users and roles in WebCenter Spaces, see Managing Application Roles and Permissions in Oracle Fusion Middleware Users Guide for Oracle WebCenter.

27.2.4.2 Role-mapping Based Authorization

Services that need to access remote back-end resources require role-mapping based authorization. For example, for the Discussions service, role mapping is required when the users of a WebCenter application mapping to one or more group space roles must be mapped to another set of roles on the Oracle WebCenter Discussions Server. In WebCenter Spaces: ■ WebCenter Spaces roles are mapped to corresponding roles on the Oracle WebCenter Discussions Server. ■ When a user is granted a new WebCenter Space role, a similar grant privilege is granted in the back-end server. For example, when user Pat is granted Discussions-CreateEditDelete permissions in WebCenter Spaces, Pat is granted corresponding permissions in the back-end discussion server. See also, Understanding Discussions Server Role and Permission Mapping in Oracle Fusion Middleware Users Guide for Oracle WebCenter.

27.2.4.3 Default Policy Store Permissions for WebCenter Spaces

Out-of-the box, WebCenter Spaces provides the following default roles: Default application roles: ■ Administrator ■ Authenticated-User ■ Public-User For more information about the default application roles, see Default Permissions for Application Roles in the Oracle Fusion Middleware Users Guide for Oracle WebCenter.