Example: Configuring the extended portlet deployment descriptor to disable PortletServingServlet
Portlet URL serving supports direct access to all functions and states of a portlet by creating the appropriate URLs. In a production setup where the portlet is served through an enterprise portal application that applies its own access control, is considered a security risk. By setting the portletServingEnabled property to false, an administrator can ensure that a sensitive portlet is never accessed by direct URL serving.
Extensions for the portlet deployment descriptor are defined within a file called ibm-portlet-ext.xmi. This deployment descriptor is an optional descriptor we can use to configure WebSphere extensions for the portlet application and its portlets. For example, we can disable the PortletServingServlet servlet for the portlet application in the extended portlet deployment descriptor.
The ibm-portlet-ext.xmi extension file is loaded during application startup. If there are no extension files specified with this setting, the default values of the portlet container are used.
The default for the portletServingEnabled attribute is true. The following is an example of how to configure the application so that a PortletServingServlet servlet is not created for any portlet on the portlet application.
<?xml version="1.0" encoding="UTF-8"?> <portletappext:PortletApplicationExtension xmi:version="1.0" xmlns:xmi="http://www.omg.org/XMI" xmlns:portletappext="portletapplicationext.xmi" xmlns:portletapplication="portletapplication.xmi" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmi:id="PortletApp_ID_Ext" portletServingEnabled="false"> <portletappext:portletApplication href="WEB-INF/portlet.xml#myPortletApp"/> </portletappext:PortletApplicationExtension>
Related:
Portlets Portlet container View deployment descriptors