8-28 Oracle Fusion Middleware Developers Guide for Oracle Portal Portlet security is invoked when a portlet is displayed on a portal page and when a portlet is returned in a portlet list by the get_portlet_list function for database providers. Security services in the Portal framework have the following key features: ■ Portlet Display: Before a portlet is displayed on a page, the provider checks for the portlets access privileges. The provider needs to define the is_portlet_ runnable function which calls the portlets is_runnable function to check access privileges. ■ User Group: You can find which default group a user belongs to by using the wwsec_api.get_defaultgroup function. ■ Check Privileges: You can find whether a user or group has the required privileges to personalize a portlet by using the wwsec_api.has_privilege function. ■ Highest Privilege: You can find the highest available privilege of a user across all groups by using the wwsec_api.get_privilege_level function. ■ Accessible Objects: You can find all the objects to which a user has access, given a privilege level, by using the wwsec_api.accessible_objects function. You can find other similar associated functions in the API documentation. The API Reference can be found on Portal Center http:portalcenter.oracle.com or, if you downloaded PDK-PLSQL pdkplsql.zip, in ..\pdkplsql\pdk\plsql\doc.

8.7.1 Using Security

To implement PLSQL portlet security, the portal requires the function is_portlet_ runnable be implemented by database providers. The actual implementation of this function is up to the application; that is, the security scheme that determines whether the current user has enough privileges to access the portlet is defined by the individual portlet implementation. The portal also requires the function get_portlet_list for database providers to return the set of portlets that are accessible by the current user. Guidelines for Using the Security APIs The portlet security mechanism may use the context and security subsystem APIs and infrastructure. The context APIs can be used to retrieve information about the current user. The security subsystem can be used to check the privileges of the current user. While using these APIs, keep in mind the following: ■ Only authorized users should be able to see your portlet in the Add Portlet dialog. This objective can be accomplished by implementing the is_portlet_ runnable function in the provider. You can also allow public access to your portlet. ■ If a portlet does not want to render itself to a user, it should return no HTML or return an exception that the page engine will ignore. It should not return an error message. Doing so adds unnecessarily to the error stack, which has its limits. Refer to Section 8.9, Implementing Error Handling for more information. Note: For more information on the context and security subsystem APIs, see the PLSQL API Reference. The API Reference can be found on Portal Center http:portalcenter.oracle.com or, if you downloaded PDK-PLSQL pdkplsql.zip, in ..\pdkplsql\pdk\plsql\doc.