Security example – J2EE - Portlet Factory v6.1.2

Portlet Factory, Version 6.1.2

Security example – J2EE

The following example illustrates security implemented for a IBM® WebSphere Portlet Factory web application composed of several WebApp models. For this example, it is assumed that we have a model-based Web application with a fairly simple division of public and protected models organized in the following directory structure:
.../WEB-INF/models/MyPortal/public/...{entryPage.model, contactUS.model}
.../WEB-INF/models/MyPortal/protected/portalUserPreferences.model
.../WEB-INF/models/MyPortal/Admin/portalAdmin.model
.../viewLogs.model
Here is how the structure works:

Public models

All users should be able to see this particular portal entry model/page which introduces users to the site, allows them to log in for access to protected portions of the portal (to set or update user preferences). For these models, you need do nothing. Access should be allowed.

Protected models

You want to make sure the requestor is authenticated (logged in) first and that they are a member of the PortalUsers J2EE role. The below web.xml fragments describe how you would construct a J2EE Security Constraint for such protection. Likewise, to access the administrative model based tools, also be a member of the PortalAdmin J2EE role.
security-constraint id="SecurityConstraint_1"> <web-resource-collection id="WebResourceCollection_1"> <web-resource-name>myProtectedPortal</web-resource-name> <url-pattern>/webengine/MyPortal/protectedModels/*</url-pattern> </web-resource-collection> <auth-constraint id="AuthConstraint_1"> <role-name>PortalUsers</role-name> </auth-constraint> </security-constraint> <security-constraint id="SecurityConstraint_2"> <web-resource-collection id="WebResourceCollection_2"> <web-resource-name>myPortalAdminModels</web-resource-name> <url-pattern>/webengine/MyPortal/Admin/*</url-pattern> </web-resource-collection> <auth-constraint id="AuthConstraint_2"> <role-name>PortalAdmins</role-name> </auth-constraint> </security-constraint>

Note: If your servlet name and/or mappings are different, the above URL patterns would need to be changed accordingly.

Parent topic: Overview: security methodologies

Library | Support |