Implementing Session Storage You built a portlet using the wizard and successfully added it to a page.
4. Register the provider in Oracle Portal. Ensure that you select the User radio button
and choose a Login Frequency of Once Per Session on the Define Connections page of the wizard. For a reminder on how to register your portlet, refer to Section 6.5.5, Registering and Viewing Your Oracle PDK-Java Portlet .7.2.6.3 Viewing the Portlet
If you have not already added your Java portlet to a page, do so now. Ensure that you perform the following tasks: ■ Set your provider to Once per User Session for the login frequency value. ■ Refresh the provider to accept the new changes. ■ Re-login in case your session is no longer valid.7.2.7 Implementing Portlet Security
This section describes the available security services for your Java portlet. For more detailed information about the PDK classes referred to in this section, refer to the Javadoc on OTN by clicking Java Doc API on the Portlet Development page available at http:www.oracle.comtechnologyproductsiasportalportlet_development_ 10g1014.html7.2.7.1 Assumptions
To perform the tasks in this section, we are making the following assumptions: 1. You have followed through and understood Section 6.5, Building Oracle PDK-Java Portlets with Oracle JDeveloper . 2. You built a portlet using the wizard and successfully added it to a page.7.2.7.2 Introduction to Portlet Security Features
This section introduces the major features that are available to secure your portlet providers.7.2.7.2.1 Authentication When a user first logs in to an Oracle Portal instance, they
must enter their password to verify their identity and obtain access. This authentication is performed by OracleAS Single Sign-On Server server. Refer to Section 7.2.7.3, Single Sign-On for more information. Once the user’s identity is passed to the provider in shown requests, the provider code has access to the authenticated users identity from the PortletRenderRequest that is available from the HttpServletRequest object as follows: 7-36 Oracle Fusion Middleware Developers Guide for Oracle Portal PortletRenderRequest pr = PortletRenderRequestrequest.getAttribute HttpCommonConstants.PORTLET_RENDER_REQUEST; String userName = pr.getUser.getName; Refer to Oracle Fusion Middleware Administrators Guide for Oracle Portal for more information.7.2.7.2.2 Authorization Authorization determines if a particular user may view or
interact with a portlet. Oracle Portal provides the following two types of authorization checking: ■ Portal Access Control Lists ACLs: After a user is authenticated by OracleAS Single Sign-On Server, Oracle Portal uses ACLs to determine what privileges that user has to perform actions on portal objects, such as folders and portlets. The actions available to a user can range from simply viewing an object to performing administrative functions on it. If a user does not belong to a group that has been granted a specific privilege, Oracle Portal prevents that user from performing the actions associated with that privilege. Refer to Section 7.2.7.4, Oracle Portal Access Control Lists ACLs for more information. ■ Programmatic Portlet Security: You can also implement your own security manager programmatically. Refer to Section 7.2.7.5, Portlet Security Managers for more information.7.2.7.2.3 Communication Security To this point, we have covered user authentication
and authorization, which do not check the authenticity of messages received by a provider. The following measures can be used to properly secure communication between a portal and a web provider: ■ Oracle Portal Server Authentication restricts access to a provider to a small number of recognized machines. This method compares the IP address or the host name of an incoming HTTP message with a list of trusted hosts. If the IP address or host name is in the list, the message is passed to the provider. If not, it is rejected before reaching the provider. Refer to Section 7.2.7.6, Oracle Portal Server Security for more information. ■ Message Authentication uses a shared key to assert the Portal client identity and to prevent message tampering. Refer to Section 7.2.7.7, Message Authentication for more information. ■ Message Encryption encrypts message contents. Refer to Section 7.2.7.8, HTTPS Communication for more information. ■ User Input Escape causes Oracle Portal to escape any user input strings and treat them as text only to protect against XSS attacks, where an attacker attempts to pass in malicious scripts through user input forms. Refer to Section 7.2.7.10, User Input Escape for more information. For more information about communication security, refer to the Oracle Fusion Middleware Administrators Guide for Oracle Portal.7.2.7.3 Single Sign-On
Portlets act as windows into an application. They display summary information and provide a way to access the full functionality of the application. Portlets expose application functionality directly in the portal or provide deep links that take you to the application itself to perform a task. An application may need to authenticate the user accessing the application through the portlet. Following are the possible application authentication methods: Enhancing Java Portlets 7-37 ■ Section 7.2.7.3.1, Partner Application . In this case, the application user is the same authenticated user used by Oracle Portal. ■ Section 7.2.7.3.2, External Application . In this case, the Oracle Portal user is different from the application user, but the application user name and password are managed by the Oracle Portal user. ■ Section 7.2.7.3.3, No Application Authentication . In this case, the communication between provider and Oracle Portal is not protected at all. For more information about Single Sign-On, refer to the Oracle Fusion Middleware Administrators Guide for Oracle Portal.7.2.7.3.1 Partner Application A partner application is an application that shares the
same OracleAS Single Sign-On Server as Oracle Portal for its authentication. Thus, when a user is already logged in to Oracle Portal, their identity can be asserted to the partner application without them having to log in again. Partner applications are tightly integrated with OracleAS Single Sign-On Server. When a user attempts to access a partner application, the partner application delegates the authentication of the user to OracleAS Single Sign-On Server. Once a user is authenticated that is, has provided a valid user name and password for one partner application, the user does not need to provide a user name or password when accessing other partner applications that share the same OracleAS Single Sign-On Server instance. OracleAS Single Sign-On Server determines that the user was successfully authenticated and indicates successful authentication to the new partner application. The advantages of a partner application implementation are as follows: ■ Provides the tightest integration with Oracle Portal and OracleAS Single Sign-On Server. ■ Provides the best single sign-on experience to users. ■ Provides the most secure form of integration because user names and passwords are not transmitted between Oracle Portal and the provider. The disadvantages of a partner application implementation are as follows: ■ The application must share the same user repository as Oracle Portal even though the applications user community may be a subset of the Oracle Portal user community. While worth some consideration, this issue is a minor one because the portal pages that expose the application can be easily restricted to the applications user community. ■ The application can only be tightly integrated to one or more OracleAS Single Sign-On Server instances if they share the same user repository. ■ The application must be written such that it delegates authentication to OracleAS Single Sign-On Server. ■ You must have access to the application source code.7.2.7.3.2 External Application An external application uses a different authentication
server than Oracle Portal. The application may use a different instance of OracleAS Single Sign-On Server than that used by Oracle Portal or some other authentication method. However OracleAS Single Sign-On Server does store the user name and password of the external application for that user. This means that when a user is already logged into Oracle Portal, they will be logged into the external application without having to type in their user name or password.Parts
» Oracle Fusion Middleware Online Documentation Library
» Introduction to Portal Development Understanding Portlets
» Portlet Anatomy Oracle Fusion Middleware Online Documentation Library
» Out-of-the-Box Portlets Portlet Resources
» Other Sources of Prebuilt Portlets Web Clipping
» Portlet Builder Portlet Resources
» JSF Portlets Portlet Resources
» Programmatic Portlets Portlet Resources
» The Portlet Technologies Matrix
» Web Clipping OmniPortlet General Suitability
» Java Portlets Portlet Builder
» PLSQL Portlets General Suitability
» Java Portlets Expertise Required
» Web Providers Deployment Type
» WSRP Producers Deployment Type
» The user requests a portal page from the Web browser by entering a URL in the
» The Parallel Page Engine PPE, which resides in the Oracle Application Servers
» Database Providers Provider Registration
» PLSQL Portlets Development Tool
» OmniPortlet and Web Clipping Java Portlets Portlet Builder PLSQL Portlets
» Web Clipping OmniPortlet User Interface Flexibility
» Java Portlets and PLSQL Portlets
» Web Clipping OmniPortlet Java Portlets
» PLSQL Portlets Ability to Capture Content from Web Sites
» Web Clipping OmniPortlet Java Portlets Portlet Builder
» Public Portlet Parameters Support
» OmniPortlet, Web Clipping, and Portlet Builder
» Web Clipping and OmniPortlet Java Portlets Portlet Builder PLSQL Portlets
» Web Clipping OmniPortlet Java Portlets PLSQL Portlets
» Introduction to OmniPortlet Oracle Fusion Middleware Online Documentation Library
» Source The OmniPortlet Wizard
» Filter The OmniPortlet Wizard
» View Layout The OmniPortlet Wizard
» Edit Defaults mode The OmniPortlet Wizard
» Portlet Parameters and Events
» Adding an OmniPortlet Instance to a Portal Page Building an OmniPortlet Based on a Web Service
» Building an OmniPortlet Based on a Spreadsheet CSV
» Building an OmniPortlet Based on an XML Data Source
» Building an OmniPortlet Based on a Web Page Data Source
» Under New Page Parameter, in the Parameter Name field, enter zip, then click
» For the fourth OmniPortlet in the list, follow the same steps to set Param1 to the
» Set the Page Input as shown in Click OK.
» Building an OmniPortlet Using the HTML Layout
» Above the Web Clipping portlet, click the Edit Defaults icon, as shown in
» In the URL Location field, enter the location of the starting Web page that links to Click Start.
» At the top left of the section of the Web content you want to clip, click Choose.
» In the Find a Web Clipping page, click OK to display the selected Web clipping in
» In the Default Value field, enter a value to use by default for the parameter.
» Select Basic Authentication as the authentication method.
» In the Additional Fields section, you can enter names and values of any Click OK.
» At the top left of the section of the Web content you want to clip, click Choos
» Click Select to confirm that the search result section is the one you want to clip.
» Because the content displayed in the portlet was reached by entering information
» In the parameters table, make the following changes:
» Click OK to display the default search results in the Web Clipping portlet on your
» In the Editing Views section, click View Page.
» In the Web Clipping portlet header, click Personalize, as shown in
» In the page that displays, scroll down to the Inputs section. Notice that the
» Click OK. Personalizing a Web Clipping Portlet
» Verify that the Web provider that contains the URL-based portlets you want to
» Find existing URL-based portlets.
» Performing the Migration Migrating from URL-Based Portlets
» Post-Migration Configuration Migrating from URL-Based Portlets
» Maintaining Migrated Portlets Migrating from URL-Based Portlets
» Current Limitations for Web Clipping
» User preference: Guidelines for Show Modes
» Instance defaults: Guidelines for Show Modes
» Guidelines for Edit Defaults Mode Options The following guidelines should
» Guidelines for Buttons in Edit Defaults Mode For consistency and user
» Preview Mode JPS and PDK-Java Full Screen Mode PDK-Java
» Help Mode JPS and Oracle Portal
» Link Mode PDK-Java Portlet defaults
» Guidelines for Navigation within a Portlet
» Guidelines for JavaScript Guidelines for Writing Java Portlets
» Guidelines for Mobile Portlets
» Introduction to Java Portlet Specification JPS and WSRP
» Click Next. Creating a JSR 168 Portlet
» Click OK. Repeat the preceding steps if you want to add more customization
» In the Description field, enter a description for the security role, explaining the Click OK.
» Initialization parameters provide the Web application developer, who decides
» In the Name field, enter a unique name for the initialization parameter. Use only
» In the Value field, enter a default value for the parameter.
» In the Description field, enter a description for the parameter.
» To delete an initialization parameter, select it in the table and click Remove.
» Click Next to display the Finish page.
» Click Finish to generate the files for your portlet. The following files should be
» Adding Portlet Logic to Your JSR 168 Portlet
» In the Application Navigator, right-click the project that contains your portlet and
» In the Deployment Profile Name field, enter a meaningful name for the
» Click OK. Deploying Your JSR 168 Portlet to the Oracle WebLogic Server
» When the Deployment Finished message displays in the Deployment Log at the
» Click Next to display the Portal Registration Property Values page
» Click Finish. You should see a Registration Confirmation page similar to the one
» Registering WSRP Producers in Enterprise Configurations
» Introduction to Oracle PDK-Java
» Click Next to display the General Portlet Information Page.
» Click Next to display the Public Portlet Events page
» Click the link underneath Service Name.
» In the New Gallery, expand the General category and select Deployment Profiles.
» In the Items list, select WAR File and click OK. The Create Deployment Profile --
» Click OK. The WAR Deployment Profile Properties dialog box opens.
» Under Web Application’s Context Root, select Specify Java EE Web Context Root
» Select the Contributors node under WEB-INFlib.
» Select Portlet Development. Deploying Your Oracle PDK-Java Portlet to an Application Server
» Click OK. The Project Properties dialog opens.
» Click OK. Deploying Your Oracle PDK-Java Portlet to an Application Server
» In the Application Navigator, right-click your project and select Deploy, then
» If you are not already on the Portal Builder page, click the Builder link in the
» In the Remote Providers portlet, click Register a Provider to display the Register
» In the Name field, enter the name of the provider. The name must not be more
» In the Display Name field, enter a name to display for the provider when it is
» In the Timeout field, enter the number of seconds Oracle Portal should try to
» In the Timeout Message field, enter the message to display when Oracle Portal
» From the Implementation Style list, select Web.
» Click Next to display the Define Connection page
» In the Domain Structure tree, select Deployments.
» Click the Targets tab, and select AdminServer and WLS_WSRP from the Servers Click Save.
» In Oracle JDeveloper, double-click the view.jsp file for your JPS-Standard
» Add the code that is indicated in bold in the following snippet:
» Open edit.jsp in the visual designer and click the Design tab. Notice that the
» Click the Design tab to see the new form field that you just added
» Updating the XML Provider Definition
» Viewing the Portlet Under Web Content, htdocs\myportlet, create an HTML page called
» Click the magnifying glass icon next to the portlet and a preview window similar
» Reviewing the Generated Code The wizard creates the following code for you by
» Modifying the Generated Code The JSP contains an input field for the portlet
» Implementing Personalization for Show Pages
» Edit your Show page and import NameValuePersonalizationObject and
» Preference Information Within the XML Provider Definition
» Portlet URL Types Intraportlet links refer to the Oracle Portal page on which
» Building Links with the Portlet URL Types To build links with the URL
» Building Forms with the Portlet URL Types Use of portlet parameters in forms is
» Implementing Navigation within a Portlet You can implement navigation within a
» Submitting Events Go to the Parameter tab of the page properties. Note that parameters should be
» You can append a parameter value to the URL and the portlet displays the value
» When you click the link, that value is passed to the Parameter portlet on its page
» Go to the provider deployment in the Oracle WebLogic Administration Console,
» Creating Private Events Enhancing PDK-Java Portlets
» Ensure you are logged in to an Oracle Portal instance with privileges to create
» Create a new portal page, ensuring it is visible to PUBLIC.
» Add your Java portlet to the page.
» Make a note of the direct URL to your new Portal page.
» Now log out of the Portal instance by clicking the Logout link.
» Oracle Portal Server Security
» HTTPS Communication Directly access the Portal page by entering the URL noted in Step 4 into your
» Implementing Oracle Internet Directory Security PDK-Java provides a set of
» Viewing Your Portlets After you secure your provider with Oracle Internet
» Ensure you are logged in to an Oracle Portal instance as a user who is a member of
» Use an existing page or create a new one, ensuring it is visible to PUBLIC.
» Make a note of the direct URL to your new page.
» Click Logout. Implementing Portlet Security
» The portlet instance is the portlet on a page with the default personalizations made
» Create a stock portlet and implement the Show mode with the following
» Create two regions on a sample page and add My Stock Portlet to the first region.
» Securing Provider Communications If the security of exportingimporting
» Disabling ExportImport of Personalizations The JNDI variable,
» Obfuscating Data for Transport Automatic By default, personalization data is
» Exporting by Reference Example To export by reference rather than exporting
» Expiry-based Caching Enhancing Portlet Performance with Caching
» Invalidation-based Caching: Enhancing Portlet Performance with Caching
» You have followed through and understood
» Activating Caching You built a portlet using the wizard and successfully added it to a page.
» Configuring the Provider Servlet To enable invalidation-based caching, you must
» Defining the Oracle Web Cache Invalidation Port If you are using an Oracle
» Configuring the XML Provider Definition Using a combination of tags in
» Manually Invalidating the Cache You may want the cached version of the portlet
» Enhancing Portlets for Mobile Devices
» Writing Multilingual Portlets Enhancing PDK-Java Portlets
» Oracle Portal and the Apache Struts Framework
» Creating an Oracle Application Development Framework ADF Portlet
» Portlet Show Modes Guidelines for Creating PLSQL Portlets
» Recommended Portlet Procedures and Functions
» Implementing the Portlet Package
» Open starter_provider2.pks in an editor.
» Save and close starter_provider2.pkb.
» Creating and Accessing a Preference Store
» Implementing a Session Store
» Passing Private Parameters Passing Page Parameters and Mapping Public Portlet Parameters
» Retrieving Parameter Values Using Parameters
» Identify the piece of information you require for your functionality.
» Use the appropriate method from wwctx_api to get and optionally set this value.
» Open the services_portlet.pkb file in an editor.
» Find the get_portlet_info function.
» Notice the usage of wwctx_api.get_user to derive the user information and set
» wwctx_api.get_user is used similarly in various places throughout
» Another example of getting context information occurs in the is_runnable
» Using Security Implementing Portlet Security
» Coding Security Implementing Portlet Security
» Indicate to Oracle Portal that it must generate specific headers for Oracle Web
» Determine whether you want to use system or user level caching. Set the
» Optionally, set up validation- or expiry-based caching as well.
» Add invalidation logic to your portlet where needed for example, when the
» Configuring and Monitoring the Cache
» Implementing Validation-Based Caching Improving Portlet Performance with Caching
» Implementing Expiry-Based Caching Improving Portlet Performance with Caching
» Implementing Invalidation-Based Caching Improving Portlet Performance with Caching
» Using Error Handling Implementing Error Handling
» Adding Error Handling Implementing Error Handling
» Add the event object, with an appropriate domain and subdomain combination,
» Register the log event record by using wwlog_api_admin.add_log_registry.
» Use start_log and stop_log to mark the events you want to log in your code.
» Adding Event Logging Implementing Event Logging
» Using Multilingual Support Writing Multilingual Portlets
» Adding Multilingual Support Writing Multilingual Portlets
» Registration Prerequisites Provider Record Input Registration Example
» Overview Oracle Fusion Middleware Online Documentation Library
» Secure Content Repository Views
» Terminology Content Management APIs
» Providing Access to the APIs and Secure Views
» Using Constants Guidelines for Using the APIs
» Resetting CMEF Global Variables
» Code Samples Oracle Fusion Middleware Online Documentation Library
» Setting the Session Context API Parameters
» Editing Page Properties Oracle Fusion Middleware Online Documentation Library
» Setting Item Attributes Editing Content
» Editing an Item Editing Content
» Moving an Item to a Different Page Moving Pages
» Moving Categories and Perspectives
» Deleting Items Deleting Content
» Deleting Pages Deleting Content
» Creating Pages Oracle Fusion Middleware Online Documentation Library
» Creating Categories and Perspectives
» Creating Items Oracle Fusion Middleware Online Documentation Library
» Setting Perspectives Attributes of Pages and Items
» Approving and Rejecting Items
» Searching For Items Across All Page Groups
» Searching For Pages in Specific Page Groups
» Searching For Items By Attribute
» Creating a Directory for the XML File
» Creating an XML File from a CLOB
» Generating Search Results in XML Workaround for get_item_xml
» Click Next. On the View page, select Tabular for the Layout Style, then click Next.
» Introduction to Multi-Lingual Support
» Querying the Default Language
» Setting the Session Language Modifying an Existing Translation Creating a Translation for an Item
» Translations and Item Versioning
» Retrieving Object Privileges Oracle Fusion Middleware Online Documentation Library
» Granting Page Level Privileges
» Removing Page Level Privileges
» Granting Item Level Privileges
» Removing Item Level Privileges
» Inheriting Item Level Privileges from the Page
» Enqueuing Messages How Does the Content Management Event Framework Work?
» Subscribers and Dequeuing Messages
» Exception Handling Listening for Messages
» Creating Subscriber Code Using the Content Management Event Framework
» In the toolbar at the top of the page, click the Properties link next to Page Group.
» Click the Configure tab to bring it forward.
» To enable CMEF, select the Enable Content Management Event Framework check
» Click OK to save your changes.
» Click Close to return to the page.
» Adding a Subscriber to WWSBR_EVENT_Q Running a CMEF Subscriber
» CMEF Message Payload Using the Content Management Event Framework
» Oracle Portal Actions and CMEF Events
» What Is the Content Management Event Framework? Installing the Examples
» Example: Portal Object Event Logging
» Example: Item Validation Oracle Fusion Middleware Online Documentation Library
» Integrating Workflow with Oracle Portal
» Example Overview Example: Integrating External Workflow
» Section 16.8.3.2, Grant Users the Manage Items With Approval Privileges
» Section 16.8.3, Run Scripts Required for the CMEF Workflow Integration
» Section 16.8.3.4, Create Subscriber and Check Procedures
» Section 16.8.3.5, Register the WF_CHECKURL Process with Oracle Workflow
» Enable Approvals and Notifications in Oracle Portal
» To enable approvals and notifications, select the Enable Approvals and
» Grant Users the Manage Items With Approval Privileges
» Go to any page in the page group and switch to Edit mode.
» Click the Approval tab to bring it forward.
» Select the Require Approval for All Users check box
» Create Subscriber and Check Procedures
» Log in to the CMEFSAMPLES schema and run the following: Start a new workflow project.
» Add the CMEF_WORKFLOW Subscriber to the WWSBR_EVENT_Q Queue
» Set the definition value in the provider_name.properties file that is
» From the WebLogic Server menu, choose Application Deployment, and then
» Click Continue. The URL mapping for Web Modules displays. The mappings will
» Click Next. Detailed Example Description
» In the Application Attributes section, for Application Name, enter the application
» Expand Deployment Plan. Detailed Example Description
» Click Deploy. Detailed Example Description
Show more