Security in WebCenter

Similar Messages

• Best Approach for Security in WebCenter Portal Application

  Hi,
  We are analyzing a right approach for webcenter portal security on an application . We found that we can do all Roles and Security in Page Hierarchy which in turn stores the security details in Jazn-data.xml . Is this the right approach for defining the roles and security for a webcenter portal application .
  What is the importance of Configuring WS_security in webcenter Portal Application and do we need to define this WS_Security even after defining them in page hierarchy. Could you please guide us on this .
  Thank you,
  Sashank P

  Hi Shashank,
  First sorry for late reply,
  WS_Security, can you please explain what do you mean by WS_Security, from the term i could not infer which part you are talking about.
  Let me tell you about the Webcenter security -
  This is the heirarchy , the Fusion middelware forms the base with webcenter at the top.\
  Webcenter Security
  |
  ADF Security
  |
  Fustion Midddleware Security (OPSS)
  Now you are goin to apply security to your Webcenter and ADF layers.
  Lets come back to the question .
  Any webcenter portal, you have to use the Jazn-Data.xml file to secure all the content whether its the navigation /pages /admin pages/taskflows etc.
  Its pretty much easy to use , let me know if you have any difficulty on that.
  Page hierarchy -> Yes you have an option to set your security for pages alone, here you have addition fine grain permisions (update/delete/personalise etc).
  If you need those fine grain permissions you can use this.
  To Conclude i would say use jazn-data for taskflows/components/admin page protection etc.
  Use Page heirarchy's fine grain permission to pages and navigation model's visible attribute to show/hide navigation based on user's roles.
  Let me know if this helps

• ACL - ILS (Item Level Security) for Webcenter Spaces

  We're trying to implement Item Level Security (ILS / ACL) for Webcenter spaces. We're following the instructions from the Oracle® Fusion Middleware Administrator's Guide for Oracle WebCenter 11g Release 1 (11.1.1.5.0) http://docs.oracle.com/cd/E15586_01/webcenter.1111/e12405.pdf
  After making the configuration changes, we're unable to see the "Security" option from the "File" menu in the Document explorer. Has anyone else implemented this feature and ran into similar issues?
  Also, we're looking at the document properties in webcenter spaces via document explorer and do not see the "security group" or "accounts" metadata fields. We can see the "Content ID" and a whole bunch of fields and do not see "security groups" and "accounts". However, when we log into the content server and look at the folder or file "info" we can clearly see the security group and account values...not sure what is required to make these two fields show up in webcenter spaces.

  Hi ,
  Do you upload the documents from spaces or from UCM side ?
  When you say the security and account field are not displayed , is that when viewing the content or during update ?
  When the ACL features are turned off do you see the above fields ?
  Thanks
  Srinath

• Big Security Issues with WebCenter

  I have some questions about security with webcenter:
  1) can I hide and show the whole portlet according to the role of the user ?
  2) how can I develop the dummy page definition to put some components in it, and apply security constrains on that portion differenet from the whole page definition constrains ?
  3) the "Rendered" property of the component can be shown and hidden using the EL. But can I control every component alone depeneding on the authoriztion of the user on that control ? or all the component is depending on the same level of authorization?
  please provide some explanation and not only URLs
  thank you

  I have some questions about security with webcenter:
  1) can I hide and show the whole portlet according to
  the role of the user ?You could do this in a number of ways
  a) use the isrunnable method in your portlet code (role membership is passed at runtime to the provider)
  b) Create a managed bean and track the role membership (isUserInRole) by using the just use EL to reference this bean in the rendered property of the portlet to return true or false (similar to method in developers guide, section 10.3)
  c) use a dummy page def as mentioned below
  2) how can I develop the dummy page definition to put
  some components in it, and apply security constraints
  on that portion different from the whole page
  definition constrains ?From the developers guide "While there is a one-to-one relationship between the page definition file and the page you are securing, it is also possible to secure areas within a page (for example, a ShowOneTab) by using a headless (dummy) page definition file that represents a specific section of the page. This page definition is not actually tied to a physical page, but can still have a policy defined for it. As such, by defining view permission on this headless page definition, you can show and hide a section of a page by referencing the headless page definition rather than the actual page definition of a target page."
  3) the "Rendered" property of the component can be
  shown and hidden using the EL. But can I control
  every component alone depeneding on the authoriztion
  of the user on that control ? or all the component is
  depending on the same level of authorization?
  Not sure what you mean here, maybe it is explained in my answers above?
  please provide some explanation and not only URLs
  Please read Section 10 Securing Your WebCenter Application of the WebCenter Developers Guide (http://download-west.oracle.com/docs/cd/B32110_01/webcenter.1013/b31074/jpsdg_security.htm#CDDGCDAH) we put alot of effort into the documenation so we don't have to write massive answers to every post.
  thank you

• Migrate portlets deployed on Liferay to WebCenter

  Is there a way to convert a JSR-168 portlet WSRP portlet so that it can be deployed on WebCenter?
  The latest version of JDeveloper (11.1.2) supports importing of Maven projects but it does not support creation of WebCenter Applications.
  The Version 11.1.1.5 of JDeveloper Supports WebCenter Application creation but we were unable to import a maven project. We Want to port our portlets (JSR 168) running on liferay to WebCenter.
  Any hints on same would be helpful.
  Thanks

  I tell this also in all my courses I give.
  Standards are good but in the end when you migrate from one system to another, you almost always end up with rewriting the whole app...
  Most of the time you are interacting with the portal itself from within your portlet which completly removes the idea of loose coupling between portlet and portal.
  Then there is the JSR168 standard. If you are using inter portlet communication then you are using some special technique owned by the portal which measn that it cannot be migrated.
  Another thing is security. WebCenter does not work according the JEE roles which means that if you have defined security in your portlets in Liferay and used security, it will not work in webcenter unless you use WS-Security and configure quite a lot of mapping and security stores.
  SO as you can see, standards are good and well but in the end they are more a pain in the ....

• Webcenter Interaction, Webcenter Spaces, WebcenterServices

  Hi,
  What is the difference between Webcenter Interaction, Webcenter Spaces, Webcenter Services & Enterprise 2.0 ?
  Is there any out of the box examples for Webcenter & live example url's?
  Regards,
  Venu--

  Hi all,
  This is regarding to integration of discussion server in to the webcenter spaces
  I installed oracle web center 11.1.1.2.0 in AIX machine. After successful installation , when i tried the spaces URL(http://machineip:8888/webcenter/spaces) , then i clicked the Discussions icon in the left side bar under the My Group Spaces Tab, it showing error as "failure to authenicate the user weblogic,due to : Unable to connect to discussion server".
  I followed the steps given Oracle® Fusion Middleware Administrator's Guide for Oracle WebCenter, under 28th chapter named 28 Configuring WS-Security for WebCenter Applications and Components. i created only one domain so i followed the •Section 28.1, "Configuring WS-Security for a Simple Topology"
  Bellow are the my steps :
  1. i created webcenter Domain Keystore as bellow :
  1.1 keytool -genkey -keyalg RSA -dname "cn=spaces,dc=WC_Domain,dc=com" -alias orakey -keypass welcome123 -keystore /home/oracle/keystore/webcenter.jks -storepass welcome123 -validity 1064
  1.2 keytool -export -v -alias orakey -keystore /home/oracle/keystore/webcenter.jks -storepass welcome123 -rfc -file /home/oracle/keystore/orakey.cer
  1.3 keytool -import -alias webcenter_spaces_ws -file /home/oracle/keystore/orakey.cer -keystore /home/oracle/keystore/webcenter.jks -storepass welcome123
  2. i Configured the Keystore Using Fusion Middleware Control :
  3. Configured the Discussions Server for a Simple Topology:
  keytool -import -alias df_orakey_public -file /home/oracle/keystore/orakey.cer -keystore /home/oracle/keystore/owc_discussions.jks -storepass welcome123
  4. Specifying the Properties File for ClassLoader
  5. Updating the System Properties for WS-Security
  But still i am getting the same error "failure to authenicate the user weblogic,due to : Unable to connect to discussion server". But i am able to login discussion console individually using weblogic username.
  Pls help me from this issue......

• Wldeploy: EncryptionServiceException, Error decrypting Secret Key

  I am seeing the following error using the ant deploy task in ASCORE_MAIN_LINUX_090629.1800
  weblogic.security.internal.encryption.EncryptionServiceException: weblogic.security.internal.encryption.EncryptionServiceException: weblogic.security.internal.encryption.EncryptionServiceException: [Security:090219]Error decrypting Secret Key com.rsa.jsafe.JSAFE_InputException: Invalid input length for decryption. Should be a multiple of the block size - 8.
  I am [attaching the entire stack|http://webcenter.us.oracle.com/webcenter/content/conn/UCM/path/PersonalSpaces/[email protected]/Public/Stack.txt] and the files [myuserconfigfile.secure|http://webcenter.us.oracle.com/webcenter/content/conn/UCM/path/PersonalSpaces/[email protected]/Public/myuserconfigfile.secure] and [myuserkeyfile.secure|http://webcenter.us.oracle.com/webcenter/content/conn/UCM/path/PersonalSpaces/[email protected]/Public/myuserkeyfile.secure]
  wlst cmd
  storeUserConfig('/scratch/sfrankli/extSpaces/myuserconfigfile.secure', '/scratch/sfrankli/extSpaces/myuserkeyfile.secure')
  has been used to create myuserconfigfile.secure and myuserkeyfile.secure
  the complete stack also contains a
  [wldeploy] Version mismatch between key and supported version; will try to continue
  before it throws the EncryptionServiceException.
  Any ideas what may be going wrong.
  Thanks,
  Sunil.

  Yes we realize that we should not be using the simulator; however the customer needs to get some test transactions sent to the authorizer before a certification blackout.
  We identified the issue as a problem between the POS client and POS server where the new v13.3 password phrase for the simulator did not match. We updated the values to match in the application.properties file and it resolved the problem.
  Thank you for your input though.

• Creating a WebCenter Application with PageCutomizable and ADF Security

  I created a Webcenter App in Jdev 11.1.1.2.0 with webcenter extension.
  I have 2 JSPX files.
  One called mainTemplate.jspx
  - contains header, footer in ADF and a center facet.
  One called Welcome.jspx created from mainTemplate
  - contains page customizable > panel customizable > layout customizable > various custom panel configs.
  ADF security is configured with BASIC, authentication only. Because form authentication seems harder to get working.
  We have one weblogic user, and currently deploy to the integrated WLS, although we'll deploy out to a full server once security/composer is working.
  The problem is, when we run the Welcome.jspx, and because we added a reference to a logged in var, it requests http login fine.
  We then refresh the page and see that we are indeed logged in as 'weblogic'.
  Is weblogic a special user? should I create a new one? Is there any setup required on the Integrated WLS to get this working?
  However when we click on 'add Content' using the composer we get a permission error.
  +<RegistrationConfigurator><handleError> Server Exception during PPR, #1+
  javax.el.ELException: oracle.adf.view.page.editor.security.ComposerSecurityException: You do not have permission to edit the page
  +     at com.sun.el.parser.AstValue.invoke(AstValue.java:161)+
  +...+
  Caused by: oracle.adf.view.page.editor.security.ComposerSecurityException: You do not have permission to edit the page
  +     at oracle.adfinternal.view.page.editor.bean.DialogBean.setDialogHelp(DialogBean.java:129)+
  +     at oracle.adfinternal.view.page.editor.bean.DialogBean.showResourceCatalog(DialogBean.java:356)+
  +     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)+
  +...+
  I tried using the Customization allowed var in the property inspector, but could not map 'allowed by' to a user or role that my setup would recognise. The doco specifies 'admin' which does not work for me.
  In my catalog I have a WCM portlet taskflow, which will require its own permissions.
  I tried enabling permissions for the test-all role to all of my pages/taskflows, leaving just the 'view' permission to the anonymous role.
  I also tried authentication/authorization profiles, and building my own jspx login/error pages, but no luck there either, the login button doesn't seem to tirgger my java doLogin class, even though I set the binding on the button using the method expression builder to the bean method.
  *note: I didn't try the welcome/login/error page auto create as they generate html files, I created JSFs with full UI in there. Am I required to use those html types instead of jspx? I found that the redirection worked by appending the jspx reference with '/faces/Login.jspx'. The problem seemed to have been somewhere else.
  If we have any Webcenter Composer / Security gurus out there, help would be greatly appreciated.
  Our main goal is to create a Webcenter App which has security/composer/navigation and a catalog with WCM/Siebel portlets similar to the Avitek demo without using WC Spaces.
  Thanks.
  Thanks.
  Edited by: Guillaume_Davies_SC on Apr 20, 2010 7:28 PM

  When you want to achieve this you need to configure ADF security with basic authentication & authorization. THe authorization is the part that takes care of what a user may and may not do in an application. Authentication is just the log in part.
  When you have configured your application for authorization as well, you have to create roles and groups.
  You will also have to set the authorization of your pages. Open a jsxp and in the design or source view, right click and "edit authorization". You then have to add roles to your pages and define their rights. Then you can set the authorization for edit,cuustomize,personlise,view,...
  Hope this helps.

• ACL - ILS (Item Level Security) for Content Server & WebCenter Spaces

  We're trying to implement Item Level Security (ILS / ACL) for Webcenter spaces. We're following the instructions from the Oracle® Fusion Middleware Administrator's Guide for Oracle WebCenter 11g Release 1 (11.1.1.5.0) http://docs.oracle.com/cd/E15586_01/webcenter.1111/e12405.pdf
  After making the configuration changes, we're unable to see the "Security" option from the "File" menu in the Document explorer. Has anyone else implemented this feature and ran into similar issues?
  I made the following configuration changes:
  UseEntitySecurity=1
  SpecialAuthGroups=SecurityGroups (comma separated list with no spaces and the application name is included)
  CS: Version:11gR1-11.1.1.5.0
  DB: 11.2.0.2.0 ---Oracle Database 11g Enterprise Edition
  WebCenter: 11.1.1.4.0 (in a clustered environment)
  Also, we're looking at the document properties in webcenter spaces via document explorer and do not see the "security group" or "accounts" metadata fields. We can see the "Content ID" and a whole bunch of fields and do not see "security groups" and "accounts". However, when we log into the content server and look at the folder or file "info" we can clearly see the security group and account values...not sure what is required to make these two fields show up in webcenter spaces.

  Hi ,
  Do you upload the documents from spaces or from UCM side ?
  When you say the security and account field are not displayed , is that when viewing the content or during update ?
  When the ACL features are turned off do you see the above fields ?
  Thanks
  Srinath

• Oracle WebCenter Framework Tutorial  bug in af:tree / security ?

  Hi
  I'm following Oracle® WebCenter Framework Tutorial and come without big problems through Providing Security section however at the end of the chapter it is recommended to apply ccecurity on page elements to display files/ folders using af:tree component. After applying security so as suggested I'm able to see the files/ folders initailly, but when I collapse the folder to see the contents , I see only the arrows without any names (blank). After removing web-security it works correctly.
  The authorization settings are as follow:
  getItems2Iter:
  Role: / Action
  users / Read,Update,Create,Delete
  getItems2:
  Role / Action
  users / Invoke
  getItems3:
  For all attributes: MyTutorialContent3.getItems2 (eg. name,URI, etc) 5 in total
  Role / Action
  users / Read, Update
  Conform the manual there is also Page security on highest level of Page definied.
  Thx.

  hello !
  your steps look correct. also, if you initially see all the content, your steps are working. i just tried it and could reproduce this behavior. i will try to find out why this is happening.
  it is quite interesting as we have not seen this behavior in pre-production builds.
  thanks,
  ph.

• Error when trying to see pages in webcenter app with adf security activated

  Greetings
  I have this problem
  I developed a WebCenter Application that uses ADF Security with form authentication. This App has
  two JSPX the first one is the login page and the second one is the page where i manage runtime created pages
  using the CREATE PAGE task flow and a page tree iterator to see my created pages.
  when i deploy de application on the weblogic server i am able to login successfully and create as many pages as
  i want and also see them using the link generated. the problem is that when a delete the application from the weblogic
  server, i mean the deployed application, then redeploy the same application on the server i can login again and
  see the pages i created before but when i try to reach them i get this error showed in my internet browser:
  Error 401--Unauthorized
  From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
  10.4.2 401 Unauthorized
  The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.46)
  containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization
  header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that
  authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response,
  and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was
  given in the response, since that entity MAY include relevant diagnostic information. HTTP access authentication is explained
  in section 11.
  Does anybody now what kind of configuration i am missing or what is happening?
  thanks for your help

  this issue has a solution showed on the this thread Re: ERROR when trying to see pages created with create page task flow

• Securing WebCenter applications with PKI and CAC

  I have a potential customer who has a need to secure WebCenter apps using PKI and CAC. Can this be done in the current version? or in 11g? If so, what are the basic steps?
  Thanks in advance,
  -Matt

  Hi Matt,
  You can configure WebCenter applications to use Oracle Internet Directory, which in turn has support for PKI and has an SDK for developing extensions to external devices.
  You might want to try posting your question in the Oracle Identity Management forum.
  regards,
  Stewart

• WebCenter portal ant packaging (no security)

  Hi
  I invoke Ant script out of Maven to build my WebCenter application, but after it is opened - it complains about invalid security (the error says that WS Security header should be attached)
  If I do the deployment of portal directly from JDeveloper - then everything works fine. Could you please tell me what I am missing in the configuration of security when building from Maven/Ant? I know that JDeveloper uses file-based WS policy store by default, but why it is not seen when packaging and deploying from Ant/Maven?
  Thanks

  I was not adding a WS policy configuration to the 'connections.xml'

• Don't miss Thursday's Webcast: Security Scenarios with WebCenter Content 11

  Learn how user authentication and authorization is now implemented in WCC 11g by attending this 1 hour Advisor Webcast!
  Topic: Security Scenarios with WebCenter Content
  When: September 27, 2012 at 16:00 UK / 17:00 CET / 08:00 am Pacific / 9:00 am Mountain / 10:00 am Central / 11:00 am Eastern
  This one-hour session is recommended for technical and functional users who use WebCenter Content (WCC). This session will be used to explain how user authentication and authorization is now implemented in WCC 11g. Also the means that single sign can be used.
  TOPICS WILL INCLUDE:
  - How authentcation and authorization was handled in previous Content Server versions
  - The WLS mechanisms now used to provide user access and content security
  - External users and internal users
  - Overview of the WLS ldap provider configuration
  - How to differentiate Roles and Accounts
  - WCC credential mapping -- not WLS credential mapping
  - Single Sign on -- OAM only
  - Saml and Kerberos
  To register for this meeting:
  1. Event address for attendees: https://oracleaw.webex.com/oracleaw/onstage/g.php?d=595760912&t=a
  2. Register for the meeting.
  Once the host approves your request, you will receive a confirmation email with instructions for joining the meeting.

  Hi Everybody:
  I've found the solution. It was necessary to fill the roles on the Front End. However, this step is not mentioned on the GRC 10.1 Security guide, only in 10.0.
  Best Regards:
  Caio

• UPCOMING Webcast on Sept 27th - Security Scenarios with WebCenter Content

  Learn how user authentication and authorization is now implemented in WCC 11g by attending this 1 hour Advisor Webcast!
  Topic: Security Scenarios with WebCenter Content
  When: 16:00 UK / 17:00 CET / 08:00 am Pacific / 9:00 am Mountain / 11:00 am Eastern
  This one-hour session is recommended for technical and functional users who use WebCenter Content (WCC). This session will be used to explain how user authentication and authorization is now implemented in WCC 11g. Also the means that single sign can be used.
  TOPICS WILL INCLUDE:
  - How authentcation and authorization was handled in previous Content Server versions
  - The WLS mechanisms now used to provide user access and content security
  - External users and internal users
  - Overview of the WLS ldap provider configuration
  - How to differentiate Roles and Accounts
  - WCC credential mapping -- not WLS credential mapping
  - Single Sign on -- OAM only
  - Saml and Kerberos
  A short, live demonstration (only if applicable) and question and answer period will be included. Oracle Advisor Webcasts are dedicated to building your awareness around our products and services. This session does not replace offerings from Oracle Global Support Services.
  WebEx Conference Details
  Topic: Advisor Webcast: Security Scenarios with WebCenter Content
  Date and Time:
  Thursday, September 27, 2012 5:00 pm, Europe Summer Time (Berlin, GMT+02:00)
  Thursday, September 27, 2012 4:00 pm, GMT Summer Time (London, GMT+01:00)
  Thursday, September 27, 2012 11:00 am, Eastern Daylight Time (New York, GMT-04:00)
  Thursday, September 27, 2012 10:00 am, Central Daylight Time (Chicago, GMT-05:00)
  Event number: 595 760 912
  To register for this meeting
  1. Event address for attendees: https://oracleaw.webex.com/oracleaw/onstage/g.php?d=595760912&t=a
  2. Register for the meeting.
  Once the host approves your request, you will receive a confirmation email with instructions for joining the meeting.

  You need to keep in mind that these OTN forums are user community forums and are publicly viewable to anyone with a web browser on the Internet.
  If you are to present a link into a forum post it needs to be a freely available link, else you need to qualify your post if it is not.
  If CSI/MOS login credentials are required (which seems to be the case here) then you need to be aware of that and state that fact. If your link is to be restricted to company-internal or for partner-only access, you need to state that.
  (... and company-internal or partner-only postings have no place in these user community forums)