Creating PLSQL Portlets 8-27 return boolean is begin -- -- Portlet security check. It allows the portlet to be visible -- if the user is logged on, that is, the current session is not a -- public session. -- return wwctx_api.is_logged_on; end is_runnable; 6. In the register procedure, wwctx_api.get_nls_language is used to get the language: -- -- Create the names to store the portlet preferences. -- wwpre_api_name.create_name p_path = PORTLET_PATH || p_portlet_instance.reference_path, p_name = PREFNAME_STRING, p_description = Single custom row in || Introductory Example portlet., p_type_name = NLSID, p_language = wwctx_api.get_nls_language; wwpre_api_name.create_name p_path = PORTLET_PATH || p_portlet_instance.reference_path, p_name = PREFNAME_TITLE, p_description = Single custom row in || Introductory Example portlet., p_type_name = NLSID, p_language = wwctx_api.get_nls_language; 7. Close services_portlet.pkb. You can implement session context similarly but based upon your own functional requirements. 8. Optionally, if you want to see this portlet on a page and it is not already in the Portlet Repository, refer to the instructions in Section 8.3.2, Implementing the Provider Package for information on how to add it. 9. Once your portlet appears in the repository, you can add it to a page to test it. To add your portlet to a page, follow the instructions in Oracle Fusion Middleware Users Guide for Oracle Portal.

8.7 Implementing Portlet Security

Portlet security refers to the techniques and methods used by portlets to control their access by end users. The portlets leave authentication to Oracle Portal and trust that the portal will return them to the correct, validated user upon request. Oracle Portal strictly controls access to information and applications by assigning specific privileges to users and groups. Portal security services allow you to specify access control programmatically and check for the appropriate privileges at runtime. Security mechanisms used by portlets ensure that only authorized users gain access to these portlets. These security services are available through the wwsec_api package. 8-28 Oracle Fusion Middleware Developers Guide for Oracle Portal Portlet security is invoked when a portlet is displayed on a portal page and when a portlet is returned in a portlet list by the get_portlet_list function for database providers. Security services in the Portal framework have the following key features: ■ Portlet Display: Before a portlet is displayed on a page, the provider checks for the portlets access privileges. The provider needs to define the is_portlet_ runnable function which calls the portlets is_runnable function to check access privileges. ■ User Group: You can find which default group a user belongs to by using the wwsec_api.get_defaultgroup function. ■ Check Privileges: You can find whether a user or group has the required privileges to personalize a portlet by using the wwsec_api.has_privilege function. ■ Highest Privilege: You can find the highest available privilege of a user across all groups by using the wwsec_api.get_privilege_level function. ■ Accessible Objects: You can find all the objects to which a user has access, given a privilege level, by using the wwsec_api.accessible_objects function. You can find other similar associated functions in the API documentation. The API Reference can be found on Portal Center http:portalcenter.oracle.com or, if you downloaded PDK-PLSQL pdkplsql.zip, in ..\pdkplsql\pdk\plsql\doc.

8.7.1 Using Security

To implement PLSQL portlet security, the portal requires the function is_portlet_ runnable be implemented by database providers. The actual implementation of this function is up to the application; that is, the security scheme that determines whether the current user has enough privileges to access the portlet is defined by the individual portlet implementation. The portal also requires the function get_portlet_list for database providers to return the set of portlets that are accessible by the current user. Guidelines for Using the Security APIs The portlet security mechanism may use the context and security subsystem APIs and infrastructure. The context APIs can be used to retrieve information about the current user. The security subsystem can be used to check the privileges of the current user. While using these APIs, keep in mind the following: ■ Only authorized users should be able to see your portlet in the Add Portlet dialog. This objective can be accomplished by implementing the is_portlet_ runnable function in the provider. You can also allow public access to your portlet. ■ If a portlet does not want to render itself to a user, it should return no HTML or return an exception that the page engine will ignore. It should not return an error message. Doing so adds unnecessarily to the error stack, which has its limits. Refer to Section 8.9, Implementing Error Handling for more information. Note: For more information on the context and security subsystem APIs, see the PLSQL API Reference. The API Reference can be found on Portal Center http:portalcenter.oracle.com or, if you downloaded PDK-PLSQL pdkplsql.zip, in ..\pdkplsql\pdk\plsql\doc.