Wednesday, September 21, 2011

How to Disable WebLogic Administrator from WebCenter 11g PS3/PS4 Portal Applications Management

While testing your WebCenter 11g PS3/PS4 application security, don't forget to check how portal application behaves for WebLogic administrator user. Typically we don't want to grant admin access to portal for the same user who is administering WebLogic server. Let's see how it works.

Download sample application, where admin access is disabled for WebLogic administrator - EnterprisePortalApp_v9.zip.

When we generate new WebCenter 11g PS3/PS4 application, JDeveloper constructs default UI template. This template is applied for portal pages. Because application is deployed on WebLogic server, and weblogic admin user is one of the users available in security provider - obviously we can login into our application as weblogic user and authentication will be completed successfully:


What about authorization? It seems like by default WebLogic administrator is granted portal admin access as well - Administration link is visible:


It depends on requirements, but in most of the cases we don't want to grant portal admin access to WebLogic administrator. How to disable it?

First place to look - generated UI template. As we can see, showAdmin template attribute by default is enabled to all authenticated users. There is no much logic here, why all authenticated users should see portal Administration link:


We can fix it, by changing showAdmin value to check against Administrator role from ADF Security. Only portal administrators will be able to see Administration link:


We test again, still get same result - WebLogic administrator is able to access Administration link:


Seems like ADF Security role - Administrator is mapped with admin group from WebLogic. We can double check ADF Security configuration - Administrator role is mapped with our custom PortalManager group:


In turn, PortalManager group is assigned for redsam and scott users only, there is no WebLogic admin here:


Ah, here is a trick. Its not visible through wizard and is hidden, you should open Source Code view for ADF Security definition. Only in Source Code view we can see, that ADF Security role "Administrator" is mapped with WebLogic admin group called - "Administrators". We can remove this mapping:


WebLogic administrator will not be able anymore to perform portal application administration - link for Administration resources becomes disabled as well:


Try to login with real portal administrator - redsam user:


Redsam user is granted with ADF Security role - Administrator, access to administration resources is granted:


9 comments:

Maiko Rocha said...

Great post! Now we need to educate everyone not to use weblogic as a test user too for their UATs!! =-}

Andrej Baranovskij said...

Or opposite - to use weblogic and see if it can't do administration :)))

Andrejus

Anonymous said...

Hi Andrejus,
Greatly value your posts.
I have a custom WebCenter application that have skin styles and connect to UCM. I can't find a way to activate the Adminstration link which I see if I created a WebCenter using the new Portal template. I am using 11.1.1.5 but without a template.

Thanks

Andrej Baranovskij said...

Hi,

You can just copy Administration link from auto generated template into yours.

Andrejus

Victor said...

Was hoping it was that simple.
1. I had added ADF security to the WebCenter application that I had initially created in Jdev 11.1.1.3 but now running in 11.1.1.5
3. I can access user Connection Profile in the application and UCM contents fine.
3. Used as a link:

4. Logged in as weblogic or other users defined in the WLS Ldap but got:
Error 404--Not Found

Thanks for your assistance.
Victor

victor said...

The left tag seems prevented the link from being included, here it is:
af:goLink text="Administration" id="gl3"
destination="/admin"
/>

Andrej Baranovskij said...

May be this post will help you regarding security: http://andrejusb.blogspot.com/2011/05/oracle-webcenter-11g-ps3-adf-security.html

Andrejus

Anonymous said...

Hi
Your comments was really helpful.
Does any any one has a idea of how to achieve the same link visible for more than one role.

Thanks
Amar

Andrej Baranovskij said...

You can get roles through ADF Security and set logic with Expression Language.

Andrejus