We are integrating WCP 220.127.116.11 and SES 18.104.22.168
we have quite a stunning issue here where the search results returned by a WCP Framework application are not secured, ie secured contents are returned in the search results for unauthenticated users and for users who have no permission on these contents.
Though, the search results are well secured in the standard SES search interface (http://seshost/search/query/).
The main concern is about results coming from WCC.
WCC has its own security (i.e. an unauthorized, but authenticated user in WCP won't have access to WCC content even from the portal), and I also believe that SES crawls it directly.
Could you please elaborate your observation? Namely, what's you setup, what query under which role you executed and what unsecured content has been shown? Also, have you tried to have this issue triaged by Oracle support (MetaLink)?
we managed to integrate UCM and WCP with Document Service taskflows and it works fine, ie security is well propagated for the roles we want.
WCC/UCM and WCP authenticate users via WLS which is connected to an AD.
SES has its own identity management system which authenticates users directly to the AD.
We activated the SESCrawler component in WCC/UCM and the SES/UCM crawling process is OK.
We can search for UCM contents in SES without issue and anonymous/unauthenticated search in SES doesn't return results from non-public security groups, which is what we want.
WCP search is connected to SES (which is the default setting), eg from adf-config.xml:
<common numSavedSearches="5" />
<usage id="simpleSearchResultUIMetadata" numServiceRows="5" />
<usage id="searchResultUIMetadata" numServiceRows="5" />
<usage id="localToolbarRegion" numServiceRows="5" />
<execution-properties timeoutMs="7000" prepareTimeoutMs="1000" />
<crawl-properties fullCrawlInterval="P5D" enableWcServicesCrawl="true" enableWcDiscussionsCrawl="true" enableWcUcmCrawl="true" />
So the problem is that anonymous/unauthenticated search in WCP does return results from non-public security groups, which is not what we want.
eg: access to the WCP app (don't logon)
run a search
in the search results, you can see contents which are not assigned in the public security group. Though, the WCC/UCM guest role doesn't have any permission on these SG.
- WebCenter Content uses SES as the search engine and it does not return non-public content for the anonymous user
- WebCenter Portal uses SES as the search engine and WCC as the content repository and returns non-public content for the anonymous user
Could you also confirm that you use SSO? (ideally, via Oracle Access Manager's features)
Just out curiosity, what happens if you search from SES Search User Interface as anonymous? (I guess it shouldn't find non-public content - if it does, there's a SES issue)
Could you also verify what RIDC Socket Type is used? (see http://docs.oracle.com/cd/E21764_01/webcenter.1111/e10148/jpsdg_content.htm#BABDJICG ) And if it is socket or socketssl change it to web?
The reasons could be related to the way how RIDC works - http://docs.oracle.com/cd/E23943_01/doc.1111/e10807/c23_ridc.htm#BABDCJAA , namely, "Intradoc: ... This protocol requires a trusted connection between the client and Content Server and will not perform any password validation." compared to "HTTP: .... Unlike Intradoc, this protocol requires authentication credentials for each request. "
This is only a guess - therefore, you should get an official answer asap - but while using Intradoc protocol the permissions might mess up somewhere on the way.
-WCC/UCM uses OracleTextSearch as the search engine (SearchIndexerEngineName=ORACLETEXTSEARCH, sceCrawlerRole=sescrawlerrole) and search results in WCC/UCM interface are OK
-WCP Framework uses SES as the search engine and WCC as the content repository and returns non-public content for the anonymous user: yes
-we enabled SSL for WCP and WCC/UCM but we don't have SSO yet (no OAM, no OID)
-We can search for UCM contents in SES interface without issue and anonymous/unauthenticated search in SES doesn't return results from non-public contents, which is what we want.
Connection to UCM is configured via enterprise manager, service configuration of the WCP Framework app.
RIDC Socket Type is set to "socket" with "identity propagation".
we figured out that the results for the unauthenticated searches depends highly on the permissions of the SES/WCP trusted entity.
So we are trying to create a new trusted entity with less UCM permissions.
In Note id=1272276.1, it is said to grant it the crawl application role. But this doesn't apply to WCP Framework.
We tried to put the new trusted entity in the Administrator WCP Framework app role but it doesn't work: searches for all users are run as anonymous in this case.
So, we'd like to know what are the steps to configure a proper trusted entity between SES and WCP Framework ?
we managed to solve the problem with the following:
- new trusted entity with only public permissions on UCM.
- we also had a problem with the fmwconfig/cwallet.sso file which was not well updated with the new connection credentials in this cluster environment where clusters don't share the same filesystem.
Also, I would recommend to use only WLST to update configuration in cluster environments and to restart WLS.