Forum Stats

  • 3,782,436 Users
  • 2,254,645 Discussions
  • 7,880,078 Comments

Discussions

WebLogic Portal / Portlet roles picked up from external source

mohanr-JavaNet
mohanr-JavaNet Member Posts: 144
edited Jan 2, 2009 11:20AM in WebLogic Portal
Hi,


Is it possible to connect the portal to an external database to pick up roles for role-based authorization ?

Appreciate if the following points are clarified.

1. Synching the portal database with the external database( LDAP, RDBMS etc. ) when the external sources change.

2. How to upload the role information into the portal database manually ?

3. What are the different ways of connecting the portal to an external source ? We already have roles in our database.

4. Can I use the tags the portal ( WebLogic provided ) itself uses to pick up external roles and use it in a portlet ? We need these tags for field-level security.

5. Any examples.


Thanks,
Mohan
Tagged:

Answers

  • mohanr-JavaNet
    mohanr-JavaNet Member Posts: 144
    edited Dec 22, 2008 6:10AM
    Replying to my own mail.

    Does WebLogic use it own internal LDAP server for managing authorization information ( from what I read ) ?

    How performant will it be if I write a external security manager( WebSphere terminology ) to connect the internal role manager to my own database ?

    Is that advisable ?

    I think even if the role manager connects to my database to access role details dynamically it still needs its own copy to make role decisions for portal features ?

    Can somebody confirm this ?

    Mohan
  • 649271
    649271 Member Posts: 76
    Mohan.

    I can answer few but not all.


    Weblogic Portal does use internal LAP to manage roles, groups, entitlements.

    If the number of roles become too big, then it is advisable to have a external data store like RDBMS or LDAP.
  • If you have your own source of Role definitions, you will probably wish to implement a custom Role Mapper and plug it into WebLogic Server's security service provider interface. WebLogic Portal will be able to see the Roles that your Role Mapper provides and you can use those Roles to entitle portal resources (portlets, content, etc.). See the [WebLogic Portal Security Guide|http://download.oracle.com/docs/cd/E13155_01/wlp/docs103/security/intro.html] for some more information and the documentation on [ developing custom Role Mappers|http://download.oracle.com/docs/cd/E12840_01/wls/docs103/dvspisec/rm.html] in the WebLogic Server documentation.

    WebLogic Portal uses the embedded LDAP for storing Role and Security policies defined via the WebLogic Portal Administration Console (entitlements and delegated administration) and via the similar WLP APIs. However, you can use your own external Roles as well to create entitlement security policies.

    There is no "syncing" of external Role or other security information into the WLP database or embedded LDAP. WLP will read your Roles from your source as long as you implement the proper Security SPI interfaces for your Role Mapper.

    Brad
  • Thanks.

    I will read the doc. about role mappers.

    Point 1:

    The portal has its own database with a huge number of tables for its internal use to make decisions about roles that can view portlets etc. ( for it Portal adminstration screen etc. ) ? This database is supposed to be migrated to a better version like Oracle with failover and HA.

    Point 2:

    The custom role mapper will make decisions at run-time loading the roles from my external database.

    What is the mapping betwen Point 1(database1) and Point 2(database2) ? Is synching involved when database2 has some users that database1 doesn't ?
  • 667822
    667822 Member Posts: 36
    Point 1

    If you need to move this information from one database instance to another, you can use the WLP Propagation Tool. The Propagation Tool will work even if the flavors of databases are different (e.g. Pointbase to Oracle).

    Point 2

    Perhaps this will help - WLS/WLP uses an Authentication Provider to authenticate a user. After, the RoleMapper is consulted to derive the list of roles for that authenticated user. The Authentication Provider by default uses a database table to maintain the user list, but you could also use LDAP, AD, or whatever. So hopefully you will not have different user repositories - standardize on one.

    It will be up to your custom role mapper to decide what to do if it is asked for the roles of a user it does not know. Perhaps it should return a default role.


    Further reading:

    http://peterlaird.blogspot.com/2007/09/weblogic-security-configuring-database.html
This discussion has been closed.