Implementing Oracle Internet Directory Security PDK-Java provides a set of
7.2.7.9.2 Viewing Your Portlets After you secure your provider with Oracle Internet
Directory, you can validate its behavior by following these steps:1. Ensure you are logged in to an Oracle Portal instance as a user who is a member of
the group specified in the group tag in provider.xml.2. Use an existing page or create a new one, ensuring it is visible to PUBLIC.
3. Add your Java portlet to the page.
4. Make a note of the direct URL to your new page.
5. Click Logout.
6. Directly access the page by entering the URL noted in Step 4 in your browsers
address bar or login to Oracle Portal using a user that is not part of the group listed in provider.xml. You will see the page created in Step 2 but not the portlet added in Step 3, as shown in Figure 7–10 . When you added the portlet to the page, you were logged in as a user authorized to view the portlet. The PDK runtime detected this and allowed you to add the portlet. When you logged out and viewed the page, you were no longer part of the group allowed to view the portlet and hence the PDK Framework did not allow rendering of the portlets contents. Figure 7–10 Page and Portlets for Developer If you log in again and view the page, you will see that the portlet is still there Figure 7–11 . Enhancing Java Portlets 7-47 Figure 7–11 Page and Portlets for DeveloperAdministrator7.2.7.10 User Input Escape
By accepting user input without escaping it to text, you run the risk of an XSS attack, where an attacker attempts to pass in malicious scripts through user input forms. For example, if a portlet title is customizable, an attacker might attempt to pass scripts or commands to the portlet through the title string. Oracle Portal provides the following features to ensure that you can protect your portlets from such attacks: ■ Section 7.2.7.10.1, Default Container Encoding ■ Section 7.2.7.10.2, Escape Methods7.2.7.10.1 Default Container Encoding To prevent any script inside a portlet title from
being executed, the framework default container renderer class encodes any script characters. This default behavior is controlled through a JNDI variable, escapeStrings. When set to true, the markup tags in portlet titles are rendered as visible tag characters. For example, a title customization of ititlei will be rendered as ititlei not title. This mode is secure, but, if it is not the desired behavior, you can set escapeStrings to false for that provider. escapeStrings applies to all logical providers within a Web provider. You can set the value of escapeStrings from the WebLogic Server Administration Console as you would any other JNDI variable. Refer to Section 7.2.4.2, Setting JNDI Variable Values for more information.7.2.7.10.2 Escape Methods If you have code that renders customized values, you need
to ensure that you escape those input values appropriately to avoid XSS attacks. This requirement applies to code for rendering pages in any mode. Oracle Portal supplies two new static methods for this purpose. They are in the Java class oracle.portal.provider.v2.url.UrlUtils, and can be described as follows: ■ public static escapeStringstring_text escapes any script characters in a given string. For example, less than becomes lt. This method is unaffected by the escapeStrings JNDI variable and is the secure, recommended method to use. ■ public static escapeStringByFlagstring_text escapes any script characters in a given string. This method is controlled by the escapeStrings 7-48 Oracle Fusion Middleware Developers Guide for Oracle Portal JNDI variable and is therefore less secure and not the recommended method to use. For example: title = UrlUtils.escapeStringdata.getPortletTitle;7.2.8 Controlling the ExportImport of Portlet Personalizations
The exportimport facility of Oracle Portal is a multi-purpose tool for moving your portal objects, such as portlets, between instances of Oracle Portal. For example, you might use exportimport to move objects from a development environment to a stage environment and then, finally, to a production environment. You might also use exportimport to move pages and page groups between Oracle Portal instances, or to move Web providers from one machine to another. For more information about exportimport in general, please refer to the Oracle Fusion Middleware Administrators Guide for Oracle Portal. Because portlet default settings can be set by the administrator and then changed by the user, they require some special consideration when you import and export them. To simplify the transport process, Oracle Portal provides default functionality that handles administrator personalization data that is, data created using Edit Defaults mode for you. When a portlet is exported, the default personalization data stored using PDK-Javas PreferenceStore mechanism is exported with the portlet by default. Hence, when the portlet is imported into a target instance of Oracle Portal, this data is imported along with it. As a result, the portlet instances default settings are maintained when the portlet is moved from one portal instance to another. 1 The aforementioned behavior is provided to you as a convenience and it requires no action on your part to leverage. You might, however, want to exercise more granular control over the export of personalization data than that provided by the default functionality. To implement your own requirements for exportimport, you can make use of the programming interface to augment or override the default handling of personalizations. If you use the PDK-Java preference store mechanism, the exportimport of your Edit Default personalizations is built-in and requires no additional effort on your part. This default exportimport of administrator personalizations relies on the PDK-Java preference store. If you have created your own preference store mechanism for example, a file or database preference storage system, then you also must implement your own exportimport support that performs the following functions: ■ Exports personalizations. This functionality must at least export administrator personalizations, but it could optionally include user personalizations, too. ■ Imports personalizations. Note that this functionality must reflect whatever you implemented for export. For example, if you allow the export of both administrator and user personalizations, then the import functionality must support both as well. The exportimport functionality for personalizations requires that your Oracle Portal instance and provider are on Release 10.1.2. Exportimport of personalizations behaves the same regardless of the location of your provider, which can be either of the following: ■ in the default Oracle Containers for Java EE of the Oracle Application Server, where the Oracle Portal instance is different. 1 User personalization data for Oracle Portal objects is never exported. This restriction applies to portlets as well as other objects, such as pages.Parts
» Oracle Fusion Middleware Online Documentation Library
» Introduction to Portal Development Understanding Portlets
» Portlet Anatomy Oracle Fusion Middleware Online Documentation Library
» Out-of-the-Box Portlets Portlet Resources
» Other Sources of Prebuilt Portlets Web Clipping
» Portlet Builder Portlet Resources
» JSF Portlets Portlet Resources
» Programmatic Portlets Portlet Resources
» The Portlet Technologies Matrix
» Web Clipping OmniPortlet General Suitability
» Java Portlets Portlet Builder
» PLSQL Portlets General Suitability
» Java Portlets Expertise Required
» Web Providers Deployment Type
» WSRP Producers Deployment Type
» The user requests a portal page from the Web browser by entering a URL in the
» The Parallel Page Engine PPE, which resides in the Oracle Application Servers
» Database Providers Provider Registration
» PLSQL Portlets Development Tool
» OmniPortlet and Web Clipping Java Portlets Portlet Builder PLSQL Portlets
» Web Clipping OmniPortlet User Interface Flexibility
» Java Portlets and PLSQL Portlets
» Web Clipping OmniPortlet Java Portlets
» PLSQL Portlets Ability to Capture Content from Web Sites
» Web Clipping OmniPortlet Java Portlets Portlet Builder
» Public Portlet Parameters Support
» OmniPortlet, Web Clipping, and Portlet Builder
» Web Clipping and OmniPortlet Java Portlets Portlet Builder PLSQL Portlets
» Web Clipping OmniPortlet Java Portlets PLSQL Portlets
» Introduction to OmniPortlet Oracle Fusion Middleware Online Documentation Library
» Source The OmniPortlet Wizard
» Filter The OmniPortlet Wizard
» View Layout The OmniPortlet Wizard
» Edit Defaults mode The OmniPortlet Wizard
» Portlet Parameters and Events
» Adding an OmniPortlet Instance to a Portal Page Building an OmniPortlet Based on a Web Service
» Building an OmniPortlet Based on a Spreadsheet CSV
» Building an OmniPortlet Based on an XML Data Source
» Building an OmniPortlet Based on a Web Page Data Source
» Under New Page Parameter, in the Parameter Name field, enter zip, then click
» For the fourth OmniPortlet in the list, follow the same steps to set Param1 to the
» Set the Page Input as shown in Click OK.
» Building an OmniPortlet Using the HTML Layout
» Above the Web Clipping portlet, click the Edit Defaults icon, as shown in
» In the URL Location field, enter the location of the starting Web page that links to Click Start.
» At the top left of the section of the Web content you want to clip, click Choose.
» In the Find a Web Clipping page, click OK to display the selected Web clipping in
» In the Default Value field, enter a value to use by default for the parameter.
» Select Basic Authentication as the authentication method.
» In the Additional Fields section, you can enter names and values of any Click OK.
» At the top left of the section of the Web content you want to clip, click Choos
» Click Select to confirm that the search result section is the one you want to clip.
» Because the content displayed in the portlet was reached by entering information
» In the parameters table, make the following changes:
» Click OK to display the default search results in the Web Clipping portlet on your
» In the Editing Views section, click View Page.
» In the Web Clipping portlet header, click Personalize, as shown in
» In the page that displays, scroll down to the Inputs section. Notice that the
» Click OK. Personalizing a Web Clipping Portlet
» Verify that the Web provider that contains the URL-based portlets you want to
» Find existing URL-based portlets.
» Performing the Migration Migrating from URL-Based Portlets
» Post-Migration Configuration Migrating from URL-Based Portlets
» Maintaining Migrated Portlets Migrating from URL-Based Portlets
» Current Limitations for Web Clipping
» User preference: Guidelines for Show Modes
» Instance defaults: Guidelines for Show Modes
» Guidelines for Edit Defaults Mode Options The following guidelines should
» Guidelines for Buttons in Edit Defaults Mode For consistency and user
» Preview Mode JPS and PDK-Java Full Screen Mode PDK-Java
» Help Mode JPS and Oracle Portal
» Link Mode PDK-Java Portlet defaults
» Guidelines for Navigation within a Portlet
» Guidelines for JavaScript Guidelines for Writing Java Portlets
» Guidelines for Mobile Portlets
» Introduction to Java Portlet Specification JPS and WSRP
» Click Next. Creating a JSR 168 Portlet
» Click OK. Repeat the preceding steps if you want to add more customization
» In the Description field, enter a description for the security role, explaining the Click OK.
» Initialization parameters provide the Web application developer, who decides
» In the Name field, enter a unique name for the initialization parameter. Use only
» In the Value field, enter a default value for the parameter.
» In the Description field, enter a description for the parameter.
» To delete an initialization parameter, select it in the table and click Remove.
» Click Next to display the Finish page.
» Click Finish to generate the files for your portlet. The following files should be
» Adding Portlet Logic to Your JSR 168 Portlet
» In the Application Navigator, right-click the project that contains your portlet and
» In the Deployment Profile Name field, enter a meaningful name for the
» Click OK. Deploying Your JSR 168 Portlet to the Oracle WebLogic Server
» When the Deployment Finished message displays in the Deployment Log at the
» Click Next to display the Portal Registration Property Values page
» Click Finish. You should see a Registration Confirmation page similar to the one
» Registering WSRP Producers in Enterprise Configurations
» Introduction to Oracle PDK-Java
» Click Next to display the General Portlet Information Page.
» Click Next to display the Public Portlet Events page
» Click the link underneath Service Name.
» In the New Gallery, expand the General category and select Deployment Profiles.
» In the Items list, select WAR File and click OK. The Create Deployment Profile --
» Click OK. The WAR Deployment Profile Properties dialog box opens.
» Under Web Application’s Context Root, select Specify Java EE Web Context Root
» Select the Contributors node under WEB-INFlib.
» Select Portlet Development. Deploying Your Oracle PDK-Java Portlet to an Application Server
» Click OK. The Project Properties dialog opens.
» Click OK. Deploying Your Oracle PDK-Java Portlet to an Application Server
» In the Application Navigator, right-click your project and select Deploy, then
» If you are not already on the Portal Builder page, click the Builder link in the
» In the Remote Providers portlet, click Register a Provider to display the Register
» In the Name field, enter the name of the provider. The name must not be more
» In the Display Name field, enter a name to display for the provider when it is
» In the Timeout field, enter the number of seconds Oracle Portal should try to
» In the Timeout Message field, enter the message to display when Oracle Portal
» From the Implementation Style list, select Web.
» Click Next to display the Define Connection page
» In the Domain Structure tree, select Deployments.
» Click the Targets tab, and select AdminServer and WLS_WSRP from the Servers Click Save.
» In Oracle JDeveloper, double-click the view.jsp file for your JPS-Standard
» Add the code that is indicated in bold in the following snippet:
» Open edit.jsp in the visual designer and click the Design tab. Notice that the
» Click the Design tab to see the new form field that you just added
» Updating the XML Provider Definition
» Viewing the Portlet Under Web Content, htdocs\myportlet, create an HTML page called
» Click the magnifying glass icon next to the portlet and a preview window similar
» Reviewing the Generated Code The wizard creates the following code for you by
» Modifying the Generated Code The JSP contains an input field for the portlet
» Implementing Personalization for Show Pages
» Edit your Show page and import NameValuePersonalizationObject and
» Preference Information Within the XML Provider Definition
» Portlet URL Types Intraportlet links refer to the Oracle Portal page on which
» Building Links with the Portlet URL Types To build links with the URL
» Building Forms with the Portlet URL Types Use of portlet parameters in forms is
» Implementing Navigation within a Portlet You can implement navigation within a
» Submitting Events Go to the Parameter tab of the page properties. Note that parameters should be
» You can append a parameter value to the URL and the portlet displays the value
» When you click the link, that value is passed to the Parameter portlet on its page
» Go to the provider deployment in the Oracle WebLogic Administration Console,
» Creating Private Events Enhancing PDK-Java Portlets
» Ensure you are logged in to an Oracle Portal instance with privileges to create
» Create a new portal page, ensuring it is visible to PUBLIC.
» Add your Java portlet to the page.
» Make a note of the direct URL to your new Portal page.
» Now log out of the Portal instance by clicking the Logout link.
» Oracle Portal Server Security
» HTTPS Communication Directly access the Portal page by entering the URL noted in Step 4 into your
» Implementing Oracle Internet Directory Security PDK-Java provides a set of
» Viewing Your Portlets After you secure your provider with Oracle Internet
» Ensure you are logged in to an Oracle Portal instance as a user who is a member of
» Use an existing page or create a new one, ensuring it is visible to PUBLIC.
» Make a note of the direct URL to your new page.
» Click Logout. Implementing Portlet Security
» The portlet instance is the portlet on a page with the default personalizations made
» Create a stock portlet and implement the Show mode with the following
» Create two regions on a sample page and add My Stock Portlet to the first region.
» Securing Provider Communications If the security of exportingimporting
» Disabling ExportImport of Personalizations The JNDI variable,
» Obfuscating Data for Transport Automatic By default, personalization data is
» Exporting by Reference Example To export by reference rather than exporting
» Expiry-based Caching Enhancing Portlet Performance with Caching
» Invalidation-based Caching: Enhancing Portlet Performance with Caching
» You have followed through and understood
» Activating Caching You built a portlet using the wizard and successfully added it to a page.
» Configuring the Provider Servlet To enable invalidation-based caching, you must
» Defining the Oracle Web Cache Invalidation Port If you are using an Oracle
» Configuring the XML Provider Definition Using a combination of tags in
» Manually Invalidating the Cache You may want the cached version of the portlet
» Enhancing Portlets for Mobile Devices
» Writing Multilingual Portlets Enhancing PDK-Java Portlets
» Oracle Portal and the Apache Struts Framework
» Creating an Oracle Application Development Framework ADF Portlet
» Portlet Show Modes Guidelines for Creating PLSQL Portlets
» Recommended Portlet Procedures and Functions
» Implementing the Portlet Package
» Open starter_provider2.pks in an editor.
» Save and close starter_provider2.pkb.
» Creating and Accessing a Preference Store
» Implementing a Session Store
» Passing Private Parameters Passing Page Parameters and Mapping Public Portlet Parameters
» Retrieving Parameter Values Using Parameters
» Identify the piece of information you require for your functionality.
» Use the appropriate method from wwctx_api to get and optionally set this value.
» Open the services_portlet.pkb file in an editor.
» Find the get_portlet_info function.
» Notice the usage of wwctx_api.get_user to derive the user information and set
» wwctx_api.get_user is used similarly in various places throughout
» Another example of getting context information occurs in the is_runnable
» Using Security Implementing Portlet Security
» Coding Security Implementing Portlet Security
» Indicate to Oracle Portal that it must generate specific headers for Oracle Web
» Determine whether you want to use system or user level caching. Set the
» Optionally, set up validation- or expiry-based caching as well.
» Add invalidation logic to your portlet where needed for example, when the
» Configuring and Monitoring the Cache
» Implementing Validation-Based Caching Improving Portlet Performance with Caching
» Implementing Expiry-Based Caching Improving Portlet Performance with Caching
» Implementing Invalidation-Based Caching Improving Portlet Performance with Caching
» Using Error Handling Implementing Error Handling
» Adding Error Handling Implementing Error Handling
» Add the event object, with an appropriate domain and subdomain combination,
» Register the log event record by using wwlog_api_admin.add_log_registry.
» Use start_log and stop_log to mark the events you want to log in your code.
» Adding Event Logging Implementing Event Logging
» Using Multilingual Support Writing Multilingual Portlets
» Adding Multilingual Support Writing Multilingual Portlets
» Registration Prerequisites Provider Record Input Registration Example
» Overview Oracle Fusion Middleware Online Documentation Library
» Secure Content Repository Views
» Terminology Content Management APIs
» Providing Access to the APIs and Secure Views
» Using Constants Guidelines for Using the APIs
» Resetting CMEF Global Variables
» Code Samples Oracle Fusion Middleware Online Documentation Library
» Setting the Session Context API Parameters
» Editing Page Properties Oracle Fusion Middleware Online Documentation Library
» Setting Item Attributes Editing Content
» Editing an Item Editing Content
» Moving an Item to a Different Page Moving Pages
» Moving Categories and Perspectives
» Deleting Items Deleting Content
» Deleting Pages Deleting Content
» Creating Pages Oracle Fusion Middleware Online Documentation Library
» Creating Categories and Perspectives
» Creating Items Oracle Fusion Middleware Online Documentation Library
» Setting Perspectives Attributes of Pages and Items
» Approving and Rejecting Items
» Searching For Items Across All Page Groups
» Searching For Pages in Specific Page Groups
» Searching For Items By Attribute
» Creating a Directory for the XML File
» Creating an XML File from a CLOB
» Generating Search Results in XML Workaround for get_item_xml
» Click Next. On the View page, select Tabular for the Layout Style, then click Next.
» Introduction to Multi-Lingual Support
» Querying the Default Language
» Setting the Session Language Modifying an Existing Translation Creating a Translation for an Item
» Translations and Item Versioning
» Retrieving Object Privileges Oracle Fusion Middleware Online Documentation Library
» Granting Page Level Privileges
» Removing Page Level Privileges
» Granting Item Level Privileges
» Removing Item Level Privileges
» Inheriting Item Level Privileges from the Page
» Enqueuing Messages How Does the Content Management Event Framework Work?
» Subscribers and Dequeuing Messages
» Exception Handling Listening for Messages
» Creating Subscriber Code Using the Content Management Event Framework
» In the toolbar at the top of the page, click the Properties link next to Page Group.
» Click the Configure tab to bring it forward.
» To enable CMEF, select the Enable Content Management Event Framework check
» Click OK to save your changes.
» Click Close to return to the page.
» Adding a Subscriber to WWSBR_EVENT_Q Running a CMEF Subscriber
» CMEF Message Payload Using the Content Management Event Framework
» Oracle Portal Actions and CMEF Events
» What Is the Content Management Event Framework? Installing the Examples
» Example: Portal Object Event Logging
» Example: Item Validation Oracle Fusion Middleware Online Documentation Library
» Integrating Workflow with Oracle Portal
» Example Overview Example: Integrating External Workflow
» Section 16.8.3.2, Grant Users the Manage Items With Approval Privileges
» Section 16.8.3, Run Scripts Required for the CMEF Workflow Integration
» Section 16.8.3.4, Create Subscriber and Check Procedures
» Section 16.8.3.5, Register the WF_CHECKURL Process with Oracle Workflow
» Enable Approvals and Notifications in Oracle Portal
» To enable approvals and notifications, select the Enable Approvals and
» Grant Users the Manage Items With Approval Privileges
» Go to any page in the page group and switch to Edit mode.
» Click the Approval tab to bring it forward.
» Select the Require Approval for All Users check box
» Create Subscriber and Check Procedures
» Log in to the CMEFSAMPLES schema and run the following: Start a new workflow project.
» Add the CMEF_WORKFLOW Subscriber to the WWSBR_EVENT_Q Queue
» Set the definition value in the provider_name.properties file that is
» From the WebLogic Server menu, choose Application Deployment, and then
» Click Continue. The URL mapping for Web Modules displays. The mappings will
» Click Next. Detailed Example Description
» In the Application Attributes section, for Application Name, enter the application
» Expand Deployment Plan. Detailed Example Description
» Click Deploy. Detailed Example Description
Show more